Exclude_files doesn't work?

przemolb · November 30, 2017, 5:08pm

Hi,
I have the following in my filebeat.yml (5.6):
...
exclude_files: ['.gz$', 'btmp*', 'btmp$']
...
but filebeat says in its logs:
2017-11-30T17:03:07Z INFO Harvester started for file: /var/log/wtmp 2017-11-30T17:03:07Z INFO Harvester started for file: /var/log/lastlog 2017-11-30T17:03:07Z INFO Harvester started for file: /var/log/file.log-20171101.gz 2017-11-30T17:03:07Z INFO Harvester started for file: /var/log/btmp 2017-11-30T17:03:07Z INFO Harvester started for file: /var/log/btmp-20171101
Why it is reading btmp and *.gz files ?

kvch · November 30, 2017, 5:54pm

Could you share your whole config and filebeat logs? Please format it using </>.

przemolb · December 1, 2017, 10:52am

Here you are:

    filebeat.prospectors:
    - input_type: log
      paths:
        - /var/log/*
      fields:
        type: system
    - input_type: log
      paths:
        - /opt/apps/logs/*.log
      fields:
        type: corda
      exclude_files: ['\.gz$', 'btmp*', 'btmp$']
    output.logstash:
      hosts: ["x.x.x.x:5043"]

przemolb · December 1, 2017, 10:56am

For forum requirements I have removed all the original comments from filebeat.yml and now I can see why it doesn't work - there is missing exclude_files for the first input_type.
So many years with config files and still ...

system · December 29, 2017, 10:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.