Filebeat exclude line not working :(

funtimes · December 27, 2017, 7:47pm

Hello all! I've tried doing the best I can and research on my issue, however everything i've tried and research doesn't seem to work

Was hoping somebody on here might be able to help me out.

I have a very simple webserver(remote) using nginx and filebeats(6.1) to ship the logs directly to ES/Kibana(6.1) box in my network.

The logs are getting there just fine, I just simply want to reduce some of the logs that are sent, as they are junk/filler logs that I do not want to parse/store in ES.

Below is an example of the nginx line i want to exclude

xxx.xxx.xxx.xxx - - [27/Dec/2017:05:57:06 -0500] "GET /feedback/user HTTP/1.1" 200 824 "https://website/page" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"

Below is my nginx.yml config

- module: nginx
  access:
    enabled: true
    var.paths:
      - /var/log/nginx/access.log
    exclude_lines: ['feedback']
  error:
    enabled: true
    var.paths:
      - /var/log/nginx/error.log

Is there something that I am missing?

robscott27 · December 27, 2017, 9:38pm

I ran into this same issue last week and never got a response, but I did find a work around. It doesn't hold through package updates though since the files get overwritten. Not sure if this will help you, but here's the topic I opened:

funtimes · December 27, 2017, 9:52pm

@robscott27 You are awesome!!!!!

I followed your example for the nginx config file at

/usr/share/filebeat/module/nginx/access/config/nginx-access.yml

Added this last line to the bottom

type: log
paths:
{{ range $i, $path := .paths }}
 - {{$path}}
{{ end }}
exclude_files: [".gz$"]
exclude_lines: ['.*feedback.*']

And now it works as expected!!!! Thank you so much!! Wish I would have found that post earlier! Have been beating my head against the wall for days.

robscott27 · December 27, 2017, 11:09pm

Just remember that if/when you update the filebeat package, those changes
will not persist. They will be overwritten when the package is updated. I
can confirm this is the case when I updated from 6.1.0 to 6.1.1.

As mentioned, this is not the best way to get the exclusions working and I
never heard from anyone in that topic post as to why those config files
aren't being read/processed. Good to know it's not just me running into
this!

ruflin · December 29, 2017, 2:01am

The exclude_lines should also be prefixed with var I think, then it should work.

funtimes · December 29, 2017, 2:14am

github.com

elastic/beats/blob/master/filebeat/filebeat.reference.yml#L297


# following the W3C recommendation for HTML5 (http://www.w3.org/TR/encoding).
# Some sample encodings:
#   plain, utf-8, utf-16be-bom, utf-16be, utf-16le, big5, gb18030, gbk,
#    hz-gb-2312, euc-kr, euc-jp, iso-2022-jp, shift-jis, ...
#encoding: plain




# Exclude lines. A list of regular expressions to match. It drops the lines that are
# matching any regular expression from the list. The include_lines is called before
# exclude_lines. By default, no lines are dropped.
#exclude_lines: ['^DBG']


# Include lines. A list of regular expressions to match. It exports the lines that are
# matching any regular expression from the list. The include_lines is called before
# exclude_lines. By default, all the lines are exported.
#include_lines: ['^ERR', '^WARN']


# Exclude files. A list of regular expressions to match. Filebeat drops the files that
# are matching any regular expression from the list. By default, no files are dropped.
#exclude_files: ['.gz$']

So is line 297 in the file filebeat.reference.yml incorrect?

#exclude_lines: ['^DBG']

ruflin · January 3, 2018, 11:13pm

My above comment should have said prefixed by prospector and not var.

About the file you linked: There is a difference between configuring a prospector and a module. A module is using a prospector but has some predefined config options for the specific module. So from the module you need to use the prospector prefix to access the prospector config options.

system · January 31, 2018, 11:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.