Logstash filter if conditional fails to match string ended with "\u0000"

I am using logstash to receive network logs using syslog input module. I would like to drop the event if the log message is equal to A10. The pipeline is as follows:

input {
	syslog {
		ecs_compatibility => "v1"
		timezone => "Asia/Hong_Kong"
		port => "5000"
		type => "syslog"
		grok_pattern => "%{SYSLOG5424LINE}"
		tags => [ "PAN-OS_syslog" ]
	}
}

filter {
	# Drop A10 events
	if [message] == "A10" { 
		drop { } 
	}

	# Drop event if no "PAN-OS_syslog" tag
	if "PAN-OS_syslog" not in [tags] {
		drop { }
	}
}

output {
	if ([message] =~ /TRAFFIC/) {
		pipeline { send_to => "sys-log-traffic" }
	}	else if ([message] =~ /THREAT/) {
		pipeline { send_to => "sys-log-threat" }	
	} else {
		pipeline { send_to => "sys-log-wifi" }
	}
}

However, it fails to drop the event with the message A10. I checked the json object on Kibana, there is a special character \u0000 attached

{
	"_index": "sys-wifi-2022.02-000002",
 	"_type": "_doc",
	# ...
	"message": "A10\u0000",
}

I tried to correct the pipeline to if [message] == "A10\u0000", it does not filter the event as intended. I also tried to match the message with if [message] =~ "A10", it works, but I don't want all messages that contain "A10" string to be filtered out.

Is there a way to match the string as I intended? Thank you in advance for your input.

I'm not sure if it works, but how about gsub or strip option of mutate plugin before check the message == "A10".

Maybe if [message] =~ "^A10.$" { drop {} } which should drop any four character [message] that starts with A10.

This does certainly solve my problem, thank you very much.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.