Drop filter in logstash with filebeat pipelines

old_chocobo · February 7, 2020, 9:52am

Hello,

I have a Filebeat+Logstash+Elasticsearch stack, it is working nice. I am using Filebeat module pipelines in Elasticsearch because I want to use default Filebeat dashboards in Kibana.

Now I need to drop some log lines in Logstash but it is not working. This is my Logstash config:

input {
  beats {
    port => "redacted"
    ssl => true
    ssl_certificate_authorities => ["/redacted.crt"]
    ssl_certificate => "/redacted.crt"
    ssl_key => "/redacted.key"
    ssl_verify_mode => "force_peer"
  }
}

filter {
  # Drop named denys:
  if [message] =~ /^client.*query\  \(cache\).*denied$/ {
    drop { }
  }
}

output {
  if [@metadata][pipeline] {
    elasticsearch {
      user => "redacted"
      password => "redacted"
      hosts => "https://redacted.example.com:redated"
      manage_template => false
      ilm_enabled => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      pipeline => "%{[@metadata][pipeline]}"
    }
  } else {
    elasticsearch {
      user => "reacted"
      password => "redacted"
      hosts => "https://redacted.example.com:redacted"
      manage_template => false
      ilm_enabled => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
    }
  }
}

Any ideas? Thanks in advance.

old_chocobo · February 7, 2020, 10:43am

I just saw that if I do not use regex it is working:

  if "denied" in [message] {
    drop { }
  }

Anyway, I need to use regex, so any idea about what could be wrong?

old_chocobo · February 7, 2020, 12:24pm

Finally the issue only was a bad regex u_u

system · March 6, 2020, 12:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.