Exclude_pattern in logstash s3 input

niraj_kumar · August 23, 2017, 3:53am

This is my s3 input config. I am trying to exclude a key that has name called CloudTrail-Digest.

input {
  s3 {
    type => "cloudtrail"
    bucket => "aws"
    prefix => "Accounts/"
    add_field => { source => gzfiles }
    backup_to_dir => "/mnt/aws/s3backup"
    exclude_pattern => "^CloudTrail-Digest/"
    codec => cloudtrail {}
    region => "us-west-2"
    sincedb_path => "/etc/s3backup/sincedb"
  }
}

But when i try to run logstash. It still downloads that file. Any idea if my regex is wrong.

20:47:01.414 [[main]<s3] DEBUG logstash.inputs.s3 - S3 input: Adding to objects[] {:key=>"Accounts/bigdata/AWSLogs/xxxxxxxxxxx/CloudTrail-Digest/ap-northeast-2/2017/07/12/xxxxxxxxxxxx_CloudTrail-Digest_ap-northeast-2_CybersecurityTemplate-CloudTrailImpl-11EE2N5EAOL3B_us-west-2_20170712T090720Z.json.gz"}
20:47:01.414 [[main]<s3] DEBUG logstash.inputs.s3 - objects[] length is:  {:length=>2999}

magnusbaeck · August 24, 2017, 7:57pm

I'm not familiar with the s3 input but: ^CloudTrail-Digest/ matches strings that begin with CloudTrail-Digest, which the path in question clearly doesn't.

niraj_kumar · August 24, 2017, 8:20pm

So how can i exclude all the files that start with CloudTrail-Digest?

magnusbaeck · August 24, 2017, 8:23pm

You can use /CloudTrail-Digest/ to exclude all files that has CloudTrail-Digest as one patch component.

niraj_kumar · August 24, 2017, 8:28pm

I will try this one and update you.

system · September 21, 2017, 8:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.