Null terminated message string

LisaJ · October 5, 2022, 6:27pm

I have a syslog message that contains a null terminated string: "syslog_message":"A10\u0000" -- these messages represent is-alive checks from a load balancer to the logstash servers. I would prefer not to have thousands of "the A10 checked & said logstash is still there" filling up Elasticsearch.

I've been able to filter out any messages that start with A10. Since our "real" messages , I shouldn't be dropping any good data, but I wonder if there is there any way to do an exact match for the full string including the null termination character. I've commented out the ones I've tried that haven't worked.

    #if [message] == "A10\u0000"{
    #if [message] == "A10\\u0000"{
    #if [message] == 'A10\u0000'{
    if [message] =~ /^A10/{
       drop { }
    }

Badger · October 5, 2022, 6:56pm

As far as I know the logstash configuration does not recognize Unicode escape sequences. They are taken literally. Normally I would suggest inserting the actual character, but I do not think that will work with NUL.

You could drop anything that has A10 followed by a single character using

if [message] =~ "^A10.$" { drop {} }

If you really want to check for NUL then I think you would have to use a ruby filter and call event.cancel if it matches.

LisaJ · October 5, 2022, 6:59pm

Thanks for the suggestion -- the odds of a false positive on your /^A10.$/ regex is sufficiently low that it's not worth sorting out anything more exact.

Topic		Replies	Views
Logstash filter if conditional fails to match string ended with "\u0000" Logstash	4	1143	March 8, 2022
Drop empty message with character NULL \x00 Logstash	4	1351	April 19, 2020
Need help dropping specific messages Logstash	5	363	August 25, 2023
How to drop the following documents? Logstash	3	156	May 29, 2024
Logstash is escaping message! Logstash	2	2122	July 6, 2017

Null terminated message string

Related topics