Greetings,
I have been fighting something for 2 days now that severely alludes me at this point: I cannot get the [UFW BLOCK] entries in syslog to either get blocked by the filebeat system module via regex or by filtering out via logstash. This is what I am trying to get rid of: It currently goes through the system module to the system grok patterns and ends up in system.syslog.message:
`[3430054.688179] [UFW BLOCK] IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:00:2d:3a:2b:b4:08:00 SRC=45.58.43.180 DST=255.255.255.255 LEN=201 TOS=0x00 PREC=0x00 TTL=64 ID=9554 DF PROTO=UDP SPT=52008 DPT=1900 LEN=181`
This is what my drop filter looks like for it:
filter {
if [system][syslog][message] =~ /^.UFW BLOCK.$/ { drop { } }
}
I've tried putting this after it gets added to message, as in comparing it to [message], I've also tried doing "UFW BLOCK" in [message]. I've tried about every combination I can think of to get rid of these. I tried exclude_line also and it was not working either. I must be missing something fundamental and any help would be greatly appreciated. (And yes I wish I could just have these annoying messages not go to syslog, but that is not within my power to decide on).