Null terminated message string

I have a syslog message that contains a null terminated string: "syslog_message":"A10\u0000" -- these messages represent is-alive checks from a load balancer to the logstash servers. I would prefer not to have thousands of "the A10 checked & said logstash is still there" filling up Elasticsearch.

I've been able to filter out any messages that start with A10. Since our "real" messages , I shouldn't be dropping any good data, but I wonder if there is there any way to do an exact match for the full string including the null termination character. I've commented out the ones I've tried that haven't worked.

    #if [message] == "A10\u0000"{
    #if [message] == "A10\\u0000"{
    #if [message] == 'A10\u0000'{
    if [message] =~ /^A10/{
       drop { }

As far as I know the logstash configuration does not recognize Unicode escape sequences. They are taken literally. Normally I would suggest inserting the actual character, but I do not think that will work with NUL.

You could drop anything that has A10 followed by a single character using

if [message] =~ "^A10.$" { drop {} }

If you really want to check for NUL then I think you would have to use a ruby filter and call event.cancel if it matches.

Thanks for the suggestion -- the odds of a false positive on your /^A10.$/ regex is sufficiently low that it's not worth sorting out anything more exact.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.