Rule identification in messages


(Isaac Perez Moncho) #1

Hi,

We started using logstash not long ago and the number of rules is growing quite quickly.
Which makes it difficult to know which rule is applied to each message in elasticsearch.

Is there a standard or easy way to know which rule was applied to a certain log/elasticsearch document by logstash?

I was thinking of adding a field to the document when parsing it like the following:
add_field => [ "logstash_rule", "XXXXX" ]

In this way, it would be very easy to identify what rule is being applied.

But I'm not sure if that's a good strategy or not, and maybe there are better strategies out there.

Thanks,
Isaac


(Magnus B├Ąck) #2

Is there a standard or easy way to know which rule was applied to a certain log/elasticsearch document by logstash?

Not really.

I was thinking of adding a field to the document when parsing it like the following:
add_field => [ "logstash_rule", "XXXXX" ]

I've never felt a need to do this, but sure, if it helps you then by all means go ahead.


(Isaac Perez Moncho) #3

Hi Magnus,

thanks, I started doing it and it definitively helps when developing new rules.
I also thought it could give me some numbers on which rules are used or not used.

Cheers,
Isaac


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.