Exclude Lines

Hi All

Having a bit of a problem with excluding lines

Here is my config,

// - type: log
// enabled: true
// paths: ["/var/log/clamd.log"]
// multiline.pattern: "Starting ClamAV Scan"
// multiline.negate: true
// multiline.match: after
// multiline.flush_pattern: "Finished ClamAV Scan"
// exclude_lines: ['SelfCheck', 'reloaded', 'Reading']
// tags: ["clamav"]

Still getting this into Kibana:

// Mon Aug 20 11:59:43 2018 -> Database correctly reloaded (6615382 signatures)****
// Mon Aug 20 11:59:28 2018 -> SelfCheck: Database modification detected. Forcing reload.
// Mon Aug 20 11:59:29 2018 -> Reading databases from /var/lib/clamav

Oddly enough, this is being blocked:

// Mon Aug 20 10:35:19 2018 -> SelfCheck: Database status OK.

Any idea how to completely exclude those lines from going to logstash?

Thank you

@WarrenG If I understand correctly you are creating one multiline event starting with Starting ClamAV Scan and ending with Finished ClamAV Scan.

Are the following lines between the start pattern and end pattern?

// Mon Aug 20 11:59:43 2018 -> Database correctly reloaded (6615382 signatures)****
// Mon Aug 20 11:59:28 2018 -> SelfCheck: Database modification detected. Forcing reload.
// Mon Aug 20 11:59:29 2018 -> Reading databases from /var/lib/clamav

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.