How can I match on all log files except ones containing a string

Elastic Stack Beats
1

We are ingesting the our CPanel system's Apache logs with Filebeat's handy apache module. Our configuration is as follows:

   var.paths:
      - "/var/log/apache2/domlogs/*"

However, I've hit a snag. I need to grab all files in this directory except logs containing -bytes. For example, one site would have the following logs in /var/log/apache2/domlogs/:

something.example.com
something.example.com-bytes_log
something.example.com-ssl_log

How can I tell filebeat to pickup something.example.com, something.example.com-ssl_log, but not something.example.com-bytes_log? I'm sure there is a way, but I don't see how to say match unless the file contains "-bytes"

2

Are those different lines or the names of different files? If files, just modify the glob. If lines u can use the exclude_lines config.

3

Thank for the reply @legoguy1000. Those are the names of different files. I was trying to make my expression match all files within /var/log/apache2/domlogs/*, but exclude files containing -bytes_log. I ended up taking the lazy route and dropping the event if the filename contains "-bytes_log"

- module: apache
  # Access logs
  access:

    enabled: true

    input:
      processors:
        - drop_event:
            when.contains:
              log.file.path: "-bytes_log"

It would have been nice to make the expression do an exclusion, but I couldn't get that working...