How to filter out kernel messages by logstash?

I am using following logstash config to monitor our user SSH events on remote machines. I am using filebeat to send syslogs from all the servers to our ELK server. I only want user events. I want to ignore all networking and other kernel messages. How can I do that?

input {
	beats {
          port => 5044
          ssl => true
          ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
          ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  	}
}

## Add your filters / logstash plugins configuration here
filter {
  	if [type] == "syslog" {
    	grok {
      		match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      		add_field => [ "received_at", "%{@timestamp}" ]
      		add_field => [ "received_from", "%{host}" ]
    	}
    	syslog_pri { }
    	date {
      		match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    	}
    }
}


output {
	elasticsearch {
		hosts => "127.0.0.1:9200"
		sniffing => true
    	manage_template => false
    	index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    	document_type => "%{[@metadata][type]}"
	}
}

Hi Rishi,

What is the error or problem? How are you filtering the data you don't need?

Hi Nachiket,

There is no as such error. But there is too much data. I don't want kernel or other networking messages. I want only user informations i.e. when user logged in or which commands they ran etc.

If you want to drop events and not have them sent on, you can use the Logstash drop filter together with appropriate conditionals.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.