Excluding Access Files

version 6.3 for the entire ELK Stack

hello! i am trying to exclude all access files from filebeat but am having trouble with the syntax.

i am allowing all of the files because i have multiple folders with the same structure and different names: - /opt/*/tomcat/logs/*
but am also trying to exclude the access files: - /opt/*/tomcat/logs/access*

Please view my filebeats.yml file below:

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

- type: log

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
#- /var/log/*.log
#- /var/log/secure
#- /var/log/messages
- /opt/*/tomcat/logs/*
- /usr/share/apache-tomcat-8.0.28/logs/catalina.*
#- c:\programdata\elasticsearch\logs\*

  exclude_files:
- /opt/*/tomcat/logs/access*

It is possible that my path overrides my exclude... what would be the correct way to exclude a file within the folder i have included all (*)?

I think your issue is that exclude_files expects regular expressions, not file globs, so what you want is:

exclude_files:
  - /opt/.*/tomcat/logs/access

or just

exclude_files:
  - /tomcat/logs/access

Hi @adrisr,

thanks for your reply, i wanted to confirm that you do not need the * symbol after "access" like this:

exclude_files:
  - /tomcat/logs/access*

No, it's not needed.

If you add it, it will have a meaning different to what you expect.

Have a look at our documentation to learn more about regular expressions:
https://www.elastic.co/guide/en/beats/filebeat/current/regexp-support.html

I'll start adding this to all of my servers now!

Thanks again @adrisr!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.