Filebeat 5.2 processor doesn't work

Elastic Stack Beats
1

Can you explain please, why my processor doesn't work? My config:

filebeat:                                                                                                                                                                                                       
  prospectors:
  - paths:
    - /var/log/samba/samba.log
    input_type: log 
    multiline.pattern: '^\['
    multiline.negate: true
    multiline.match: after
    document_type: sambalog
    close_renamed: true

  - paths:
    - /var/log/operations.log
    input_type: log 
    document_type: operationslog
    close_renamed: true
    processors:
    - drop_event:
      when:
        contains:
          message: 'MYKEYWORD'

Event from operations.log appears in Elasticsearch even when it contains word «MYKEYWORD». I have tried regexp processor and it doesn’t work too. Where I’ve missed? Thank you.

2

Filebeat 5.6.12. The same issue. Config:

filebeat:
  prospectors:
  - paths:
    - /var/log/test.log
    input_type: log 
    document_type: testlog
    close_renamed: true
    processors:
    - drop_event:
      when:
        contains:
          message: 'MYKEYWORD'
output:
  file:
    path: "/tmp"
    filename: filebeat

When I do «echo MYKEYWORD >> /var/log/test.log» the message appears in /tmp/filebeat. What's wrong?

3

This way works as expected:

filebeat:
  prospectors:
  - paths:
    - /var/log/test.log
    input_type: log 
    document_type: testlog
    close_renamed: true
    exclude_lines: ['MYKEYWORD']

output:
  file:
    path: "/tmp"
    filename: filebeat
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.