Sercan, There are a few ways you can handle this. 2GB a day seems a little on the high side for 200+ clients, so you may want to look at creating rules for noisy non-security related messages as severity 0, which essentially /dev/nulls the messages. The other option is to use the log_alert_level setting of alerts, which allows you to configure what severity levels are logged to the file.
All of that said, be very careful about throwing away even low severity log messages. You never know what will be useful after a security incident. --Josh On Fri, May 9, 2014 at 5:26 AM, sercan acar <[email protected]> wrote: > Hi, > > Is there a way to control the alert level which is stored by > elasticsearch? I know you can do this through rsyslog, but is it possible > through logstash.conf? > > With 200+ clients and they are generating around 2GB of data a day! > > Regards, > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
