I have a working filter that is meeting my needs but I'm wondering about the efficiency as it grows. My apologies for the formatting as I'm inexperienced on this forum but my filter is as follows:
filter {
if [type] == "wineventlog" {
if [message] =~ 'CONHOST.EXE' or
[message] =~ 'UPDATETRUSTEDSITES.EXE' or
[message] =~ 'DLLHOST.EXE' or
[message] =~ 'CHROME.EXE' or
[message] =~ 'TASKHOSTW.EXE' or
[message] =~ 'OFFICEBACKGROUNDTASKHANDLER.EXE' or
[message] =~ 'ACRODIST.EXE' {
drop { }
}
}
}
What I'm trying to accomplish is capture AppLocker events from 10's of 1000's of student computers for security purposes and there is no need to log expected OS/application behavior. I can see needing to add many more [message] =~ lines in the future but I'm concerned that I may be inefficiently re-reading the same message field again and again possibly causing performance issues.
Any suggestions on a recommended way to do this? Or is this already optimized by logstash?