I am currently ingesting AWS VPC Flow logs from our AWS tenant. Most of the logs are internal traffic between ec2 instances. I'd like to send these events to nullqueue as they are not much use to us, we are only concerned with inbound and outbound traffic to the VPC. I think the best way to drop these events is to insert some regex into transforms.conf? Could someone help with this?
I wish to exclude events that have both srcaddr starting with 10.x and dstaddr starting with 10.x
Any help would be appreciated
↧