Background:
- Sending Sonicwall syslog to Logstash in order to keep records on SSL VPN logins/logouts
- Sonicwall indices are accounting for a majority of my storage usage
Need:
- Drop Sonicwall records based on specific criteria
Detail:
- I'm using the generic Sonicwall filter that's been floating around for a while now and it works just fine for getting documents/events into Elasticsearch.
- In Elasticsearch, I'm able to filter events based on the 'msg' field. I'm only using two queries:
- msg is SSL VPN zone remote user login allowed
- msg is User logged out*
- I'd like to cut down on the Sonicwall logging data I'm storing and I figure I can drop records at logstash before they even coming into Elasticsearch
- Thought I could tag records that have a specific 'msg' and then drop any records that don't have that tag. I can't seem to make this work...
Questions:
- Should I be dropping records in Logstash or Elasticsearch?
- Is Logstash breaking up the syslog event into its parsable chunks or is Elasticsearch?
I've attempted to add an 'if' statement to my logstash filter:
if [msg] == \"SSL VPN zone remote user login allowed\" {
mutate {
add_tag => [ "valid" ]
}
}
if "valid" not in [tags] {
drop { }
}
But the above just crashed logstash... Even if I take out the second 'if' to do the drop, logstash doesn't like it.
Looking for guidance. Thanks!!