Hi,
I have the following in my filebeat.yml (5.6):
...
exclude_files: ['.gz$', 'btmp*', 'btmp$']
...
but filebeat says in its logs:
2017-11-30T17:03:07Z INFO Harvester started for file: /var/log/wtmp 2017-11-30T17:03:07Z INFO Harvester started for file: /var/log/lastlog 2017-11-30T17:03:07Z INFO Harvester started for file: /var/log/file.log-20171101.gz 2017-11-30T17:03:07Z INFO Harvester started for file: /var/log/btmp 2017-11-30T17:03:07Z INFO Harvester started for file: /var/log/btmp-20171101
Why it is reading btmp and *.gz files ?
Could you share your whole config and filebeat logs? Please format it using </>.
Here you are:
filebeat.prospectors:
- input_type: log
paths:
- /var/log/*
fields:
type: system
- input_type: log
paths:
- /opt/apps/logs/*.log
fields:
type: corda
exclude_files: ['\.gz$', 'btmp*', 'btmp$']
output.logstash:
hosts: ["x.x.x.x:5043"]
For forum requirements I have removed all the original comments from filebeat.yml and now I can see why it doesn't work - there is missing exclude_files for the first input_type.
So many years with config files and still ... 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.