Logstash Drop Filter for UFW BLOCK in Syslog


(Derek Cailen) #1

Greetings,
I have been fighting something for 2 days now that severely alludes me at this point: I cannot get the [UFW BLOCK] entries in syslog to either get blocked by the filebeat system module via regex or by filtering out via logstash. This is what I am trying to get rid of: It currently goes through the system module to the system grok patterns and ends up in system.syslog.message:

`[3430054.688179] [UFW BLOCK] IN=br0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:00:2d:3a:2b:b4:08:00 SRC=45.58.43.180 DST=255.255.255.255 LEN=201 TOS=0x00 PREC=0x00 TTL=64 ID=9554 DF PROTO=UDP SPT=52008 DPT=1900 LEN=181` 

This is what my drop filter looks like for it:

filter {
if [system][syslog][message] =~ /^.UFW BLOCK.$/ { drop { } }
}

I've tried putting this after it gets added to message, as in comparing it to [message], I've also tried doing "UFW BLOCK" in [message]. I've tried about every combination I can think of to get rid of these. I tried exclude_line also and it was not working either. I must be missing something fundamental and any help would be greatly appreciated. (And yes I wish I could just have these annoying messages not go to syslog, but that is not within my power to decide on).


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.