Logstash filter if conditional fails to match string ended with "\u0000"

I am using logstash to receive network logs using syslog input module. I would like to drop the event if the log message is equal to A10. The pipeline is as follows:

input {
	syslog {
		ecs_compatibility => "v1"
		timezone => "Asia/Hong_Kong"
		port => "5000"
		type => "syslog"
		grok_pattern => "%{SYSLOG5424LINE}"
		tags => [ "PAN-OS_syslog" ]

filter {
	# Drop A10 events
	if [message] == "A10" { 
		drop { } 

	# Drop event if no "PAN-OS_syslog" tag
	if "PAN-OS_syslog" not in [tags] {
		drop { }

output {
	if ([message] =~ /TRAFFIC/) {
		pipeline { send_to => "sys-log-traffic" }
	}	else if ([message] =~ /THREAT/) {
		pipeline { send_to => "sys-log-threat" }	
	} else {
		pipeline { send_to => "sys-log-wifi" }

However, it fails to drop the event with the message A10. I checked the json object on Kibana, there is a special character \u0000 attached

	"_index": "sys-wifi-2022.02-000002",
 	"_type": "_doc",
	# ...
	"message": "A10\u0000",

I tried to correct the pipeline to if [message] == "A10\u0000", it does not filter the event as intended. I also tried to match the message with if [message] =~ "A10", it works, but I don't want all messages that contain "A10" string to be filtered out.

Is there a way to match the string as I intended? Thank you in advance for your input.

I'm not sure if it works, but how about gsub or strip option of mutate plugin before check the message == "A10".

Maybe if [message] =~ "^A10.$" { drop {} } which should drop any four character [message] that starts with A10.

1 Like

This does certainly solve my problem, thank you very much.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.