Excluding AWS ALB Health check from nginx logs


I've got a couple of NGINX instances running behind an ALB in AWS. I have Logstash forwarding the instances' access logs to elastic search instances. I've been trying to filter out the ELB health checks from being push to Elastic Search. Something like this:

output {
if "[@metadata][user_agent]" != "ELB-HealthChecker/2.0" {
elasticsearch {
hosts => "XX.XXX.XX.XXX:9200"
manage_template => false
index => "nginx-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"

I tried going the other way too. Creating a new filter and using the the drop plugin. Something to the effect of:

filter {
if "[nginx][access][user_agent]" == "ELB-HealthChecker/2.0" {drop {}}

neither of these seem to exclude the health checks from Elastic.

if ([message] =~ /^.*HealthChecker.*/) {
  drop {}

What does an example document you want to drop look like? Use a stdout { codec => rubydebug { metadata => true } } output.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.