I test deployed ELK and installed filebeat.
To see if there are interesting things mentioned in log files and manage it centrally.
I already disabled the 30s update about filebeat state to much clutter imo.
Another one that seams clutter to me (or beat me if i'm wrong).
Are those INFO harvester messages 302 and 333 shown below who are often repeated.
While there is no info logged in between from that specific log mentioned in the harvester messages its probably just a read action. Its fine those files get monitored, but i kinda assume that's the role of filebeat.
If i would like to run filebeat in debug mode then this might be interesting to know but i don't so how to turn those 302's and 333's off ?.
Its about the below type of messages.
2021-01-27T02:08:31.775-0500#011INFO#011log/harvester.go:302#011Harvester started for file: /var/log/syslog
2021-01-27T02:08:22.758-0500#011INFO#011log/harvester.go:333#011File is inactive: /var/log/syslog. Closing because close_inactive of 5m0s reached.
And for the record any of these below, dont work i tried:
# as : is used in regex i use . instead
exclude_lines: ['\bharvester/.go.333|\bharvester/.go.302']
exclude_lines: ['\bgo.333','\bgo.303','^DBG']
exclude_lines: ['.*go.333.*', '.*go.302.*', '^DBG']
The documentation on this part isn't great imo, how would one exclude it ?