I have Filebeat installed on a Windows server. I configured it to read logs from SQL Server. I can see that all lines are individually passed to ES, as I can see them in Kibana. My goal is to only send the lines that contain the sentence "Login failed for user"
The documentation is pretty straight forward:
The following example exports all log lines that contain sometext
filebeat.inputs:
type: log ...
include_lines: ['sometext']
This is my yml file:
filebeat.inputs:
type: log
paths:
M:\sqlroot\MSSQL11.MSSQLSERVER\MSSQL\Log\ERRORLOG
include_lines: ['Login failed for user']
But this results in no messages being forwarded to ES. I have tried multiple wildcard inputs, but no luck.
Would anyone see anything wrong with my configuration? Any help would be greatly appreciated. Thanks!
Could you please format your configuration file? Please also share a few example logs you are trying to filter out. Debug logs of Filebeat when reading these files would be also helpful (./filebeat -e -d "*").
Thank you for your response. I am not sure what you mean what formatting my configuration file. Do you mean that I need to display here in the proper format? I have tried to attach it as a screenshot... Hopefully it will show properly.
When I run filebeat with the -e -d "*" I see the following (while it is running, I cause the SQL login error that I want to be filtered and sent to ElasticSearch):
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.