How to remove IP-address from elasticsearch submission after geoip parses it?

UnitedMarsupials · June 22, 2017, 5:33pm

Our logs contain clients' IP-addresses, which we pass to the geoip-filter:

filter {
		geoip {
			source => "client_ip"
		}
...
output {
		elasticsearch {
			hosts => ["...."]
			index => "logstash-%{+YYYY.MM.dd}"
		}
...

This sends both -- the original client_ip field (found by a match) and the geographical information derived from it -- into ElasticSearch. However, we do not want to keep the IP-address around -- to save space and avoid tangling with Europe's "privacy" regulations. How do we exclude it?

Rory · June 22, 2017, 8:35pm

Check out Mutate Filter remove_field: https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html

warkolm · June 22, 2017, 11:36pm

You can also remove it in the geoip filter . https://www.elastic.co/guide/en/logstash/current/plugins-filters-geoip.html#plugins-filters-geoip-remove_field

system · July 20, 2017, 11:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.