I'm using logstash as output method for packetbeat and I want to filter transactions in logstash, for example, I received 3 packets described as below
packet A is from 192.168.0.3 to 192.168.0.4
packet B is from 192.168.0.3 to 192.168.0.5
packet C is from 192.168.0.3 to 10.0.168.9
now I need logstash only output packet C, what i'm thinking now is to maintain a whitelist read from some config file in logstash, any packet compliant with this list will output and others won't.
Does logstash have this kind of feature ? or any workaround I can take ?
thanks a lot !
I don't know if there is a way to do this, packetbeat stores hostnames rather than IPs for the most part. It does store a client_ip though, so maybe you can use that?
thanks for the reply, finally I figured out a way using a new experimental feature in the latest version 2.3.2 to workaround this, the new feature allows logstash to read system environment variables, after that I use mutate to add a new field contains the desired content, then I can do filter efforts in ruby code.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.