Preventing specific events from being indexed

tsmori · March 26, 2021, 5:02pm

Is there a way to prevent specific events from being indexed? I don't mean specific fields, but conditionals for a field.

For example, we're ingesting netflow traffic data and I want to exclude all events that have both source and destination IPs from a specific range. While I know I can exclude these from search results, the point would be to cut down on the index sizes because netflow data is massive.

I'm guessing the best way might be with a pipeline processor, but honestly the docs for using pipelines is so arcane, I can't even get one to compile outside of something that's just descriptive. Even if I can get such a pipeline created, I don't know how it would get applied to the existing architecture.

Badger · March 26, 2021, 5:17pm

You could do something like

cidr {
    add_field => { "[@metadata][srcMatch]" => true }
    address => [ "%{srcIp}" ]
    network => [ "169.254.0.0/16", "fe80::/64" ]
}
cidr {
    add_field => { "[@metadata][dstMatch]" => true }
    address => [ "%{dstIp}" ]
    network => [ "169.254.0.0/16", "fe80::/64" ]
}
if [@metadata][srcMatch] and [@metadata][dstMatch] { drop {} }

tsmori · March 31, 2021, 3:48pm

Thanks, I'll give that a shot. I tried something similar with the cidr filter, setting a tag and then trying to drop by matching tags, but while Logstash didn't complain it also didn't work.

Topic		Replies	Views
Excluding files from being indexed Elasticsearch	2	502	July 5, 2017
Filter out (drop) a log sent to Logstash, based on the values of its fields Logstash	6	2182	September 13, 2022
Logstash input with filtered output Logstash	9	614	April 9, 2021
Skip indexing based on field value Elasticsearch	7	2428	December 10, 2017
Sending events from specific ip adress to specific index Logstash	2	260	October 11, 2022

Preventing specific events from being indexed

Related topics