0

Is there is a way to scrub the x-forwarded-for field in message in logstash before sending it to logz.

Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken X-Forwarded-For

swetha
  • 3
  • 2
  • with the mutate filter, option [remove field](https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html#plugins-filters-mutate-remove_field) – baudsp May 17 '21 at 14:04
  • Just want to scrub the message containing X-forwarded-For filed with empty. .. remove field only removes if the field is added not in message itself. – swetha May 18 '21 at 10:57
  • could you please show what the your message look like (for example using the stdout output plugin with the json codec) and you want tot change? That'd give a better idea of how to help you – baudsp May 18 '21 at 11:01
  • Log look like: message: 2021-05-12 08:02:32 10.x.x.x GET .js - 80 - 10.x.x.x Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+(KHTML,+like+Gecko)+Chrome/x.x.x.x+Safari/x.x 2xx x x 1xxxxx xxx xx Expected: Message: 2021-05-12 08:02:32 10.x.x.x GET .js - 80 - 10.x.x.x Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+(KHTML,+like+Gecko)+Chrome/x.x.x.x+Safari/x.x 2xx x x 1xxxxx xxx xx – swetha May 18 '21 at 12:43
  • to do so you'd have to use the [gsub](https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html#plugins-filters-mutate-gsub) option of the mutate filter – baudsp May 18 '21 at 12:53

1 Answers1

0

Contact the logz.io support and they can customize the message indexing for you, including dropping specific fields.

Note: I work at logz.io.

Barak
  • 3,066
  • 2
  • 20
  • 33