Dumping unwanted data from the start to reduce load

CrocoGator · February 26, 2017, 7:54pm

I would like to reduce storage and workload by dumping unwanted syslogs as early as possible. Ideally before they are ever written to storage and before any extractors or additional rules are run against them. All of the affected syslogs are entering on a custom Input (forwarded from another syslog server) and I would like to keep priority levels 0-4 for processing and siphon the remaining 95% into a black hole.

I have read about blacklisting but can’t seem to find the specific current code or determine and determine the optimal place to put it.

Advice is appreciated. Thank you.

alias454 · February 26, 2017, 9:16pm

If possible, the best solution is not to send the logs in the first place. However, if that is not an option, then you can use the pipeline processor to drop messages.

An example drop rule could look like this

    rule "discard level 0"
    when
        has_field("level") &&
        contains(value: to_string($message.level), search: "0", ignore_case: true)
    then
        drop_message();
    end

Regards,
Brandon

Topic		Replies	Views
Filter logs Received Graylog Central (peer support) documentation	4	161	August 8, 2024
Dropping messages using Pipelines Graylog Central (peer support) pipeline-rules , debuggingpl	4	7467	August 2, 2019
Drop debug logs with pipeline Graylog Central (peer support) pipeline-rules , debuggingpl	4	1768	February 13, 2019
Rule does not work as expected Graylog Central (peer support)	8	1767	July 12, 2017
Prevent Messages to Default Stream Graylog Central (peer support)	4	606	April 28, 2023

Dumping unwanted data from the start to reduce load

Related topics