Drop_event processor doesn't work

hlamsc · November 1, 2019, 8:11am

Hello,

I've a problem with my journalbeat config. I want to drop all events that have a syslog priority greater than 5 but nothing that has a process name with "nginx".

The config looks like this:

     processors:
        - drop_event:
           when:
              range:
                 syslog.priority.gt: 5
              and.not.contains:
                 process.name: "nginx"

I've tried so many things but it just dont want to work. When I remove the processor the logs are received. The constellation with drop everything with a priority greater than 5 but not nginx logs are not working togehter as it seems.

What am I doing wrong here?

Edit:
Ok I got a workaround with setting the facility of syslog in the nginx config. But it would be still interesting to know why my config above doesnt work

andrewkroh · November 1, 2019, 1:50pm

What about trying

    processors:
        - drop_event:
            when:
              and:
                range:
                  syslog.priority.gt: 5
                not.contains:
                  process.name: "nginx"

system · November 29, 2019, 3:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Journabeat (7.6) processors is ignored [Solved] Beats journalbeat	2	562	November 4, 2022
Filebeat Nginx module not dropping events Beats filebeat	5	1707	January 25, 2019
Processor [drop_event] not dropping events Beats winlogbeat	9	9108	February 16, 2017
Filebeat drop_event Beats filebeat	2	3922	July 5, 2017
Unable to drop events Beats winlogbeat	6	986	June 28, 2018

Drop_event processor doesn't work

Related topics