Parsing events before forwarding

Hi there, we're looking into leveraging Logstash to forward our system logs to our SIEM, QRadar. I wanted to know if there is a way to filter out specific events with Logstash before forwarding onto QRadar.

Any help or documentation is much appreciated!

You can use conditionals and a drop {} filter to do this.

Sure there is a way, as Badger suggested. If you post here a concrete example of what your input is and how you wanna filter it we might help you even further.

Thank you both! I don't have any concrete examples yet... We are looking at this to forward to our SIEM, but we don't have it setup yet. Just making sure I have the capability to filter out specific events that we don't need to ingest into the SIEM to control costs. When I do get some events, I will circle back here.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.