please re-read my previous answer again. include_lines is a regular expression, it does not look for ERROR at the beginning of the line. The drop_event + when.not will remove all events not having ERROR. It's a double-negation -> send only messages having string ERROR.