Filebeat not excluding lines?

hybrid · December 16, 2016, 5:45am

Running FileBeat 5.1

filebeat.prospectors:
- input_type: log
  paths:
    - c:\\DNSLogging\\trace.log
  include_lines: ['^[0-9]{1,2}\/[0-9]{1,2}\/[0-9]{4}\s{1,2}[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\s{1,2}', '^\\s{2}Msg\\slength']
  exclude_lines: ['\(\d+\)some\(\d+\)domain\(\d+\)com\(\d+\)\\n']
  multiline.pattern: ^\d{1,2}\/\d{1,2}\/\d{4}\s{1,2}\d{1,2}:\d{1,2}:\d{1,2}\s{1,2}AM|PM
  multiline.negate: true
  multiline.match: after
  multiline.max_lines: 7

I want to exclude internal lookups.
But (n)some(n)domain(n)com(n) is still being included in the output.
My understanding is that the multiline should be put to a single line first. Then the include_lines should trigger. Then exclude lines should go last.
Any idea what might be wrong?

ruflin · December 16, 2016, 8:55am

Could you share some example logs that you are processing? Also enabling debug logging for filebeat could help you to detect the problem.

hybrid · December 16, 2016, 9:16am

Sure, I'll post something when I get back to work next week, thanks.

hybrid · December 18, 2016, 9:29pm

19/12/2016 8:10:57 AM 0AE0 PACKET 000000F7530B58F0 UDP Rcv 127.0.0.1 856b Q [0001 D NOERROR] A (6)server(4)some(6)domain(3)com(0)
UDP question info at 000000F7530B58F0
Socket = 448
Remote addr 127.0.0.1, port 56279
Time Query=1374460, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x002c (44)
Message:
XID 0x856b
Flags 0x0100
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(6)server(4)some(6)domain(3)com(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty

I only care about the lines up to message length.
The resultant single line message looks something like this:

19/12/2016 8:11:52 AM 0AE0 PACKET 000000F753280310 UDP Rcv 127.0.0.1 fcca Q [0001 D NOERROR] A (6)server(4)some(6)domain(3)com(0)\nUDP question info at 000000F753280310\n Socket = 448\n Remote addr 127.0.0.1, port 59602\n Time Query=1374515, Queued=0, Expire=0\n Buf length = 0x0fa0 (4000)\n Msg length = 0x0029 (41)

So if that message "contains (n)some(n)domain(n)com(n)\n" I want to exclude it.

ruflin · December 20, 2016, 8:38am

If I understand you correctly, if it contains something domain related, you want to exclude the complete event, correct? Perhaps you can try the playground here to make sure your regexp are correct: https://www.elastic.co/guide/en/beats/filebeat/5.1/multiline-examples.html Regexps are tricky

hybrid · December 21, 2016, 3:08am

Found the issue with this one.
Regex didn't like the '\n'

I am now using the following regex:
exclude_lines: ['(\d+)(?i:somedomain)(\d+)(?i:com)(\d+)(?i:au)(0)']

ruflin · December 21, 2016, 9:33am

Glad you found a solution and thanks for sharing it.

system · January 18, 2017, 9:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.