Filebeat include_lines issue

Hello,

I have Filebeat installed on a Windows server. I configured it to read logs from SQL Server. I can see that all lines are individually passed to ES, as I can see them in Kibana. My goal is to only send the lines that contain the sentence "Login failed for user"

The documentation is pretty straight forward:

The following example exports all log lines that contain sometext
filebeat.inputs:

  • type: log ...
    include_lines: ['sometext']

This is my yml file:
filebeat.inputs:

  • type: log
    paths:
    • M:\sqlroot\MSSQL11.MSSQLSERVER\MSSQL\Log\ERRORLOG
      include_lines: ['Login failed for user']

But this results in no messages being forwarded to ES. I have tried multiple wildcard inputs, but no luck.

Would anyone see anything wrong with my configuration? Any help would be greatly appreciated. Thanks!

Sincerely,

RS

Just a quick note: the indentation in the message above is off. The include_lines is lined-up under the 'p' in 'paths'.... Thanks!

Could you please format your configuration file? Please also share a few example logs you are trying to filter out. Debug logs of Filebeat when reading these files would be also helpful (./filebeat -e -d "*").

Good afternoon,

Thank you for your response. I am not sure what you mean what formatting my configuration file. Do you mean that I need to display here in the proper format? I have tried to attach it as a screenshot... Hopefully it will show properly.

Here is an example of the log that I am created with the error that I want to include:

When I run filebeat with the -e -d "*" I see the following (while it is running, I cause the SQL login error that I want to be filtered and sent to ElasticSearch):

Thank you for your help!

Sincerely,

RS

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.