Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
1. Describe your incident:
I’m looking for a way how to send only specific ID’s to Graylog server. I mean not all logs classified as warning, error or something, I just want to send a specific ID’s - for example if someone from inside trying to reach out any IP outside and one of my access list deny this request, the log ID is 106100.
2. Describe your environment:
OS Information: Cisco ASA, Graylog is installed on Ubuntu 22.04
Package Version: Graylog 5.0
Service logs, configurations, and environment variables: that is I’m looking for how to configure
3. What steps have you already taken to try and solve the problem?
Still nothing.
As far as I remember ASA, you can decide up to which log-level you want to send logs. You can also change the log-level per ID if I remember correctly. With those both properties you can send logs to Graylog.
If you receive more in Graylog than you want you can delete Logs based on their ID:
build a rule to extract the ID in a certain field, we call it asa_syslog_id
create a rule if the field has a certain value to drop the message
Or, if your list of event, ideas is very short, you can build a rule that throws away any message that does not contain your specific IDs. Boolean operators in pipelines are very useful for this.
I think that my list is really short. My goal is to drop the logs on the source - Cisco. It’s not necessary to receive all logs to the Graylog server and drop it there - it will exhaust my SSD soon.
The suggestion that @ihe stated might help, for example you can set the Severity Levels for warning/critical etc… that may help to reduce the amount of logs your receiving.
