How to remove IP-address from elasticsearch submission after geoip parses it?

UnitedMarsupials · June 22, 2017, 5:33pm

Our logs contain clients' IP-addresses, which we pass to the geoip-filter:

filter {
		geoip {
			source => "client_ip"
		}
...
output {
		elasticsearch {
			hosts => ["...."]
			index => "logstash-%{+YYYY.MM.dd}"
		}
...

This sends both -- the original client_ip field (found by a match) and the geographical information derived from it -- into ElasticSearch. However, we do not want to keep the IP-address around -- to save space and avoid tangling with Europe's "privacy" regulations. How do we exclude it?

Rory · June 22, 2017, 8:35pm

Check out Mutate Filter remove_field: https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html

warkolm · June 22, 2017, 11:36pm

You can also remove it in the geoip filter . https://www.elastic.co/guide/en/logstash/current/plugins-filters-geoip.html#plugins-filters-geoip-remove_field

system · July 20, 2017, 11:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Remove raw fields from geoip? Logstash	5	2466	July 6, 2017
Logstash mutate filter Logstash	9	1811	July 6, 2017
How can I remove unwanted parameters in logstash geoip Logstash	2	822	February 17, 2020
Logstash drop unnecessary fields ( ip2location plugin ) Logstash	7	682	February 15, 2021
Logstash dns filter and indexing IP input as "ip" type in Elasticsearch Elasticsearch	1	686	September 5, 2018

How to remove IP-address from elasticsearch submission after geoip parses it?

Related topics