Sophos XG no Graylog

I have been sending Sophos XG logs to Graylog. At the moment I only send Firewall Rules logs, but the events are large, I would like to reduce it. Is there any way?
Should I delete some extractors?

I only need to log the source and destination IP

If you do this in pipeline rules it would be trivial to extract what you need to and then use the function remove_field to select exactly what you want to keep.

If I delete the extractors that I don’t use, is that also possible?

If you have an extractor that is copying data to a new field, and you delete that extractor, then yes it won’t create that new field, however the message field will still be the same size, unless you overwrite that field with something else.

Could I also create a backup of my logs and move it to removable media? How to do this, I use opensearch

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.