Filebeat not excluding lines?

hybrid · December 16, 2016, 5:45am

Running FileBeat 5.1

filebeat.prospectors:
- input_type: log
  paths:
    - c:\\DNSLogging\\trace.log
  include_lines: ['^[0-9]{1,2}\/[0-9]{1,2}\/[0-9]{4}\s{1,2}[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}\s{1,2}', '^\\s{2}Msg\\slength']
  exclude_lines: ['\(\d+\)some\(\d+\)domain\(\d+\)com\(\d+\)\\n']
  multiline.pattern: ^\d{1,2}\/\d{1,2}\/\d{4}\s{1,2}\d{1,2}:\d{1,2}:\d{1,2}\s{1,2}AM|PM
  multiline.negate: true
  multiline.match: after
  multiline.max_lines: 7

I want to exclude internal lookups.
But (n)some(n)domain(n)com(n) is still being included in the output.
My understanding is that the multiline should be put to a single line first. Then the include_lines should trigger. Then exclude lines should go last.
Any idea what might be wrong?

ruflin · December 16, 2016, 8:55am

Could you share some example logs that you are processing? Also enabling debug logging for filebeat could help you to detect the problem.

hybrid · December 16, 2016, 9:16am

Sure, I'll post something when I get back to work next week, thanks.

hybrid · December 18, 2016, 9:29pm

19/12/2016 8:10:57 AM 0AE0 PACKET 000000F7530B58F0 UDP Rcv 127.0.0.1 856b Q [0001 D NOERROR] A (6)server(4)some(6)domain(3)com(0)
UDP question info at 000000F7530B58F0
Socket = 448
Remote addr 127.0.0.1, port 56279
Time Query=1374460, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x002c (44)
Message:
XID 0x856b
Flags 0x0100
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(6)server(4)some(6)domain(3)com(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty

I only care about the lines up to message length.
The resultant single line message looks something like this:

19/12/2016 8:11:52 AM 0AE0 PACKET 000000F753280310 UDP Rcv 127.0.0.1 fcca Q [0001 D NOERROR] A (6)server(4)some(6)domain(3)com(0)\nUDP question info at 000000F753280310\n Socket = 448\n Remote addr 127.0.0.1, port 59602\n Time Query=1374515, Queued=0, Expire=0\n Buf length = 0x0fa0 (4000)\n Msg length = 0x0029 (41)

So if that message "contains (n)some(n)domain(n)com(n)\n" I want to exclude it.

ruflin · December 20, 2016, 8:38am

If I understand you correctly, if it contains something domain related, you want to exclude the complete event, correct? Perhaps you can try the playground here to make sure your regexp are correct: https://www.elastic.co/guide/en/beats/filebeat/5.1/multiline-examples.html Regexps are tricky

hybrid · December 21, 2016, 3:08am

Found the issue with this one.
Regex didn't like the '\n'

I am now using the following regex:
exclude_lines: ['(\d+)(?i:somedomain)(\d+)(?i:com)(\d+)(?i:au)(0)']

ruflin · December 21, 2016, 9:33am

Glad you found a solution and thanks for sharing it.

system · January 18, 2017, 9:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Exclude lines does not appear to be working Beats filebeat	1	333	January 14, 2019
Issues with multiline Beats filebeat	6	1461	August 17, 2017
Exclude lines not working with multiline Beats filebeat	4	1299	May 15, 2020
Multiline not working properly when used along with exclude_lines Beats filebeat	1	465	October 1, 2020
Filebeat exclude lines with multiline Beats filebeat	3	4347	January 17, 2019

Filebeat not excluding lines?

Related topics