Filebeat exclude_lines is not working on Openshift

Ferdous_Khan · April 27, 2021, 3:44pm

Hello,

We have this Filebeat (v7.1) configuration on OpenShift Pod that only excludes lines that have 'ACPI' in it:

    - type: log
      paths:
        - /var/log/kern.log
      enabled: true
      exclude_lines: ['ACPI','ll header','martian source','promiscuous mode','SELinux: mount invalid']
      fields_under_root: true
      processors:
        - drop_event:
            when:
              or:
                - regexp: 
                    message: 'sd[a-z]..sd'

However, when I try similar configuration for Filebeat 7.11 on my PC, it works for all other keywords:

    filebeat.inputs:

    - type: log

      # Change to true to enable this input configuration.
      enabled: true

      # Paths that should be crawled and fetched. Glob based paths.
      paths:
        - /mnt/d/Temp/kern.log

      #exclude_lines: ['^DBG']
      exclude_lines: ['ACPI','ll header','martian source','promiscuous mode','SELinux: mount invalid']

Any idea why?

Sample log:

Apr 2 03:33:09 ocphost-1 kernel: [2076465.390809] IPv4: martian source 10.200.20011 from
Apr 2 03:33:09 ocphost-1 kernel: [1076365.390817] ll header: 00000000: 11 50 56 ad 98 d4 d8 67
Apr 2 03:40:10 ocphost-1 kernel: [5897106.058647] ACPI Error: Method parse/execution failed
Apr 2 08:07:58 ocphost-1 kernel: [5908172.576414] sdc: sdc1 sdc2

kvch · April 28, 2021, 8:37am

Could you please share the debug logs of Filebeat? It tells you when and why a line was excluded.

system · May 26, 2021, 10:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.