Filebeat: How to not send logs from kube-system namespace

I tried all possible solutions mentioned here and StackOverflow. But not able to exclude logs from kube-system namespaces. Basically, I am getting logs from all the namespaces.

data:
  filebeat.yml: |-
    filebeat.inputs:
    - type: container
      paths:
        - /var/log/containers/*.log
      processors:
        - add_kubernetes_metadata:
            host: ${NODE_NAME}
            matchers:
            - logs_path:
                logs_path: "/var/log/containers/"
        - drop_event.when:
            or:
            - equals:
                kubernetes.namespace: "kube-system"
            - equals:
                kubernetes.namespace: "monitoring"

    setup.ilm.enabled: false
    output.elasticsearch:
      hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
      username: ${ELASTICSEARCH_USERNAME}
      password: ${ELASTICSEARCH_PASSWORD}

even tried this

filebeat.autodiscover:
 providers:
   - type: kubernetes
     node: ${NODE_NAME}
     hints.enabled: true
     hints.default_config:
       type: container
       paths:
         - /var/log/containers/*${data.kubernetes.container.id}.log
processors:
  - drop_event.when:
        or:
        - equals:
            kubernetes.namespace: kube-system
        - equals:
            kubernetes.namespace: monitoring

but nothing is working

Did you try this solution (with template): How to exclude other namespaces? - #24 by wajika ?

BTW Which version of filebeat are you using? Maybe there was a bugfix pushed in latter one.

I tried with filebeat version 7.8.0, 7.9.0, 7.12.0, and 8.0.0. But I keep getting all the noise from the kube-system namespace.

For a week I am trying to solve this issue. Almost testing everything on StackOverflow. Could you provide me any working yaml

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.