Drop_event processor doesn't work

hlamsc · November 1, 2019, 8:11am

Hello,

I've a problem with my journalbeat config. I want to drop all events that have a syslog priority greater than 5 but nothing that has a process name with "nginx".

The config looks like this:

     processors:
        - drop_event:
           when:
              range:
                 syslog.priority.gt: 5
              and.not.contains:
                 process.name: "nginx"

I've tried so many things but it just dont want to work. When I remove the processor the logs are received. The constellation with drop everything with a priority greater than 5 but not nginx logs are not working togehter as it seems.

What am I doing wrong here?

Edit:
Ok I got a workaround with setting the facility of syslog in the nginx config. But it would be still interesting to know why my config above doesnt work

andrewkroh · November 1, 2019, 1:50pm

What about trying

    processors:
        - drop_event:
            when:
              and:
                range:
                  syslog.priority.gt: 5
                not.contains:
                  process.name: "nginx"

system · November 29, 2019, 3:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.