Include only error

armani_ani · February 27, 2020, 4:51pm

Hi , I am using filebeat 7.6
with the below filebeat config

logging.level: error
filebeat.inputs:

type: syslog
protocol.tcp.host: "localhost:5000"

include_lines: ['error']

I would like for example to include only error or warning message and exclude info message on syslog.

Feb 27 17:30:02 SERVER filebeat[32050]: Exiting: error loading config file: yaml: line 23: did not find expected key
Feb 27 17:30:02 SERVER systemd[1]: filebeat.service: Main process exited, code=exited, status=1/FAILURE
Feb 27 17:30:02 SERVE>R systemd[1]: filebeat.service: Unit entered failed state.
Feb 27 17:30:02 SERVER systemd[1]: filebeat.service: Failed with result 'exit-code'.
Feb 27 17:30:02 SERVER systemd[1]: filebeat.service: Service hold-off time over, scheduling restart.
Feb 27 17:30:02 SERVER systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..

But still not work i still receive all events.

Any idea why didn't work ?

Thanks

ChrsMark · February 28, 2020, 9:20am

Hi!

From Exiting: error loading config file: yaml: line 23: did not find expected key it seems that your configuration yml is not valid. Please to try to validate it before using it. There are plenty of yml validator online to use.

C.

armani_ani · February 28, 2020, 11:03am

Hi ,

thanks for you reply .

i have already correct the line on filebeat.yml , the filebeat client work fine.

filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/lib/systemd/system/filebeat.service; disabled; vendor preset: enabled)
Active: active (running) since Thu 2020-02-27 17:43:49 CET; 18h ago
Docs: https://www.elastic.co/products/beats/filebeat
Main PID: 32381 (filebeat)
Tasks: 10 (limit: 4915)
CGroup: /system.slice/filebeat.service
└─32381 /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat

I still receive all line from syslog client, i would like to ship only error but the include_lines doesn't seem to work .

ChrsMark · February 28, 2020, 2:30pm

Could you provide your full configuration please?

armani_ani · February 28, 2020, 4:12pm

now it work with the following config
#=========================== Filebeat inputs =============================
logging.level: error
filebeat.inputs:

type: syslog
protocol.tcp.host: "localhost:5000"
processors:
drop_event.when.not.regexp.message: "error"

quick question how i can match multiple words for example ( "error","warning","Failure") .

i try :
processors:

drop_event.when.not.regexp.message: ['error','failure']
but doesn't work .

thx

ChrsMark · March 4, 2020, 7:21am

Hey.

Maybe you can use an or condition: https://www.elastic.co/guide/en/beats/filebeat/master/defining-processors.html#condition-or

system · April 1, 2020, 7:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.