How to reject incoming logs easily?


#1

Hello,

we have a small Elastic Stack setup.
There are several sources that are frequently sending logs to Logstash but they are not needed anymore.
However to some I don't have access to and the person responsible doesn't seem to be interested in turning it off (Logs are being send directly from devices not through beats).
This made me wonder if there was an easy way to reject certain incoming logs on Logstash in the best way.
I could use something like another Logstash server which sends the logs to a broker like rabbitMQ which sends them to another logstash server again, but that seems overkill for my use case.
I don't want to close the port, as there a lot of machines sending their logs to it (tcp input plugin).
I can't seem to find anything useful, maybe I'm searching for the wrong terms.

Do you know a good way to reject unwanted logs in Logstash?


(Lewis Barclay) #2

Just simply use the "drop" filter.

You can do conditional drops such as:

if [host] == "ip address or hostname" {
   mutate {
        drop { }
   }
}

(Guy Boertje) #3

Note that drop is a filter in its own right and not a sub-function of the mutate filter.


(Lewis Barclay) #4

Apologies, this is correct!