Excluding AWS ALB Health check from nginx logs

kersmacko · November 17, 2017, 2:49pm

Hello,

I've got a couple of NGINX instances running behind an ALB in AWS. I have Logstash forwarding the instances' access logs to elastic search instances. I've been trying to filter out the ELB health checks from being push to Elastic Search. Something like this:

output {
if "[@metadata][user_agent]" != "ELB-HealthChecker/2.0" {
elasticsearch {
hosts => "XX.XXX.XX.XXX:9200"
manage_template => false
index => "nginx-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

I tried going the other way too. Creating a new filter and using the the drop plugin. Something to the effect of:

filter {
if "[nginx][access][user_agent]" == "ELB-HealthChecker/2.0" {drop {}}
}

neither of these seem to exclude the health checks from Elastic.

Hush077 · November 17, 2017, 7:19pm

if ([message] =~ /^.*HealthChecker.*/) {
  drop {}
}

magnusbaeck · November 21, 2017, 6:21am

What does an example document you want to drop look like? Use a stdout { codec => rubydebug { metadata => true } } output.

system · December 19, 2017, 6:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.