Hey,
I believe this would depend on where the pipeline is placed ( i.e., stage). so long as it doesnt hit Elasticsearch you should be good. TBH @tmacgbay probable would know better then I on these configrations and what to do.
Example:
rule “Drop Syslog Messages”
when
has_field("level") AND ( to_string($message.level) == “7” OR lowercase(to_string($message.level)) == "debug" )
then
drop_message();
end
Or something like this.
Log shippers, there are setting/s to prevent specific logs from being shipped.
With Firewall’s/ Routers/Switchs/ AP’s, etc… most if not all have setting to minumize the amount of logs being sent.
A good example would be Cisco switch.
sw#enable
sw#configure terminal
sw#logging enable
sw#logging Graylog-Server
sw#logging trap level
emergencies
alerts
critical
errors
warnings
notifications
informational (default level)
debugging
#end