Filestream exclude_lines doesn't appear to be working

Elastic Stack Elastic Agent
1

I'm trying to stop the inclusion of healthcheck log lines from being sent to Elasticsearch.

In the filestream docs there is the exclude_lines option which is an array of regex.

So if I want to filter out lines that contain /healthz or /ping then I should add in

exclude_lines: ['/healthz', '/ping']

into the "Custom configuration" in the "Collect kubernetes container logs" section in the Kubernetes integration config for the agent policy. Like the following?

Edit-integration-MWS-test-Agent-policies-Fleet-Elastic
Edit-integration-MWS-test-Agent-policies-Fleet-Elastic899×1816 81 KB

But I still see them coming through from the agent.

2

Hi @Steve_Foster

Not a RegExpert.. but Did you try...

exclude_lines: ['\/healthz', '\/ping']

3

Hi @stephenb

yeah that was my second thought...

image

but that doesn't work either.

4

Can you please share a couple lines of good vs to exclude

5 
{"content_length":0,"http_version":"1.1","level":"info","method":"GET","response_time":0.0162,"status":204,"timestamp":"2024-06-23T19:57:49.261Z","url":"/healthz","user_agent":"kube-probe/1.28+"}
{"content_length":0,"http_version":"1.1","level":"info","method":"GET","response_time":0.02162,"status":204,"timestamp":"2024-06-23T19:57:59.259Z","url":"/healthz","user_agent":"kube-probe/1.28+"}
{"content_length":0,"http_version":"1.1","level":"info","method":"GET","response_time":0.013789,"status":204,"timestamp":"2024-06-23T19:57:59.260Z","url":"/healthz","user_agent":"kube-probe/1.28+"}
{"content_length":0,"http_version":"1.1","level":"info","method":"GET","response_time":0.021483,"status":204,"timestamp":"2024-06-23T19:58:09.260Z","url":"/healthz","user_agent":"kube-probe/1.28+"}
{"content_length":0,"http_version":"1.1","level":"info","method":"GET","response_time":0.017812,"status":204,"timestamp":"2024-06-23T19:58:09.261Z","url":"/healthz","user_agent":"kube-probe/1.28+"}
6

I think the perhaps the issue is it's going through the json parser first so it's extracting the ndjson first before exclude... But I can't say for sure....Not at my desk at the moment...

The decoding happens before line filtering. You can combine JSON decoding with filtering if you set the message_key option. This can be helpful in situations where the application logs are wrapped in JSON objects, like when using Docker.

So perhaps use drop event processor and see if that works (it will).

Probably easy to test. Take out the json parser and see if it drops the lines,..

1 Like
7

Yeah drop_event works as expected... Thanks

8

@Steve_Foster, Can you share your drop_event code in case anyone else ends up in this topic? Thanks.

9

Sure thing

- drop_event:
    when:
      or:
        - equals:
            RequestPath: "/ping"
        - equals:
            url: "/healthz"

I suspect that I will find some others over time and add them to this list

1 Like