Hello guys. I hope everyone is doing well.
I am a bit confused about ELK, specifically about LogStash and I hope you can help me to clarify this issue.
A couple of weeks ago, one of our clients started forwarding syslogs from onprem using arch sight to one of our vm(windows server) running elastic search,kibana and log stash. Since the starting day (2 weeks ago) they sent over 200gb of data, but due to company policy I was able to configure ELK only a couple of days ago and start reading the syslog data forwarded.
One of my concern is tons of this syslogs contains blank field, so I ask to our client to filter those syslogs removing all the fields that are blank, they said that the filter has been put in place, but when I log into my VM to check the syslogs, I still see those blank field in my reports.
So I was wondering, is this my issue because of the refresh(as I started accepting the syslog 2 weeks later so I am still visualising the old data) or our client did not configured the filtering properly?
I hope I made my point clear, I am new to ELK and hope you can help to understand this point. and please if you need more details just let me know.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.