Hi there, we're looking into leveraging Logstash to forward our system logs to our SIEM, QRadar. I wanted to know if there is a way to filter out specific events with Logstash before forwarding onto QRadar.
Any help or documentation is much appreciated!
You can use conditionals and a drop {} filter to do this.
Sure there is a way, as Badger suggested. If you post here a concrete example of what your input is and how you wanna filter it we might help you even further.
Thank you both! I don't have any concrete examples yet... We are looking at this to forward to our SIEM, but we don't have it setup yet. Just making sure I have the capability to filter out specific events that we don't need to ingest into the SIEM to control costs. When I do get some events, I will circle back here.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.