Doubts about how exclude events by the process name with filebeat

rdinis · December 5, 2021, 3:42pm

Hi,
I'm trying to send logs to elastic from the file /var/logs/messages* and i have a lot of logs from another agents of elastic. The file messages* looks like this:

Dec  1 16:50:03 machine_name heartbeat: "status": "up",
Dec  1 16:50:03 machine_name heartbeat: "duration": {
Dec  1 16:50:03 machine_name heartbeat: "us": 37154
Dec  1 16:50:03 machine_name heartbeat: },

Im using the system module from filebeat to read the file and it looks like this:

- module: system
  syslog:
    enabled: true
    var.paths: ["/var/log/messages*"]
    processors:
      - drop_event:
         when:
           or:
             equal:
               -fields.process.name: "heartbeat"
               -fields.process.name: "filebeat"
               -fields.process.name: "metricbeat"
               -fields.process.name: "auditbeat"

The json looks like this:

{
  "_index": "filebeat-2021.12.03-000001",
  "_type": "_doc",
  "_id": "UuU6i30BMQXLZCTNxfp4",
  "_version": 1,
  "_score": null,
  "fields": {
    "process.name.text": [
      "metricbeat"
    ],
    "host.os.name.text": [
      "CentOS Linux"
    ],
    "host.hostname": [
      "machine_name"
    ],
    "host.mac": [
      "X:X:X:X:X"
    ],
    "service.type": [
      "system"
    ],
    "host.ip": [
      "x.x.x.x"
    ],
    "agent.type": [
      "filebeat"
    ],
    "event.module": [
      "system"
    ],
    "host.os.version": [
      "7 (Core)"
    ],
    "host.os.kernel": [
      "X:X:X:X:X"
    ],
    "host.os.name": [
      "CentOS Linux"
    ],
    "agent.name": [
      "agent_machine_name"
    ],
    "host.name": [
      "agent_machine_name"
    ],
    "host.id": [
       "X:X:X:X:X"
    ],
    "event.kind": [
      "event"
    ],
    "event.timezone": [
      "+00:00"
    ],
    "fields.env": [
      "staging"
    ],
    "host.os.type": [
      "linux"
    ],
    "fileset.name": [
      "syslog"
    ],
    "host.os.codename": [
      "Core"
    ],
    "input.type": [
      "log"
    ],
    "host.geo.name": [
      "machine_name"
    ],
    "log.offset": [
      xxx
    ],
    "agent.hostname": [
      "machine_name"
    ],
    "message": [
      "xxxxxx"
    ],
    "tags": [
      "xx",
      "x"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "process.name": [
      "metricbeat"
    ],
    "event.ingested": [
      "2021-12-05T15:33:44.430Z"
    ],
    "@timestamp": [
      "2021-12-05T15:33:39.000Z"
    ],
    "agent.id": [
      "9a908bc9-d4bd-4d66-8c64-ff944d5f1cfb"
    ],
    "host.containerized": [
      false
    ],
    "host.os.platform": [
      "centos"
    ],
    "ecs.version": [
      "1.9.0"
    ],
    "log.file.path": [
      "/var/log/messages-20210126"
    ],
    "agent.ephemeral_id": [
      "1445b6dc-9992-411a-8f9f-7d0134ed28b9"
    ],
    "agent.version": [
      "7.13.4"
    ],
    "related.hosts": [
      "machine_name"
    ],
    "host.os.family": [
      "redhat"
    ],
    "host.geo.location": [
      {
        "coordinates": [
          -9.1458,
          38.731113
        ],
        "type": "Point"
      }
    ],
    "event.dataset": [
      "system.syslog"
    ]
  },
  "highlight": {
    "process.name": [
      "@kibana-highlighted-field@metricbeat@/kibana-highlighted-field@"
    ]
  },
  "sort": [
    1638718419000
  ]
}

leandrojmp · December 5, 2021, 3:58pm

Your field name is process.name, not fields.process.name, change your condition to use process.name and see if it works.

rdinis · December 10, 2021, 2:00pm

I found the solution here:
https://discuss.elastic.co/t/beats-filebeat-metricbeat-etc-log-to-syslog-with-logging-to-syslog-false/179085/2
Basically i will not pollute the var/log/messages*

system · January 7, 2022, 2:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.