Include only error

Elastic Stack Beats
1

Hi , I am using filebeat 7.6
with the below filebeat config

logging.level: error
filebeat.inputs:

  • type: syslog
    protocol.tcp.host: "localhost:5000"

include_lines: ['error']

I would like for example to include only error or warning message and exclude info message on syslog.

Feb 27 17:30:02 SERVER filebeat[32050]: Exiting: error loading config file: yaml: line 23: did not find expected key
Feb 27 17:30:02 SERVER systemd[1]: filebeat.service: Main process exited, code=exited, status=1/FAILURE
Feb 27 17:30:02 SERVE>R systemd[1]: filebeat.service: Unit entered failed state.
Feb 27 17:30:02 SERVER systemd[1]: filebeat.service: Failed with result 'exit-code'.
Feb 27 17:30:02 SERVER systemd[1]: filebeat.service: Service hold-off time over, scheduling restart.
Feb 27 17:30:02 SERVER systemd[1]: Stopped Filebeat sends log files to Logstash or directly to Elasticsearch..

But still not work i still receive all events.

Any idea why didn't work ?

Thanks

2

Hi!

From Exiting: error loading config file: yaml: line 23: did not find expected key it seems that your configuration yml is not valid. Please to try to validate it before using it. There are plenty of yml validator online to use.

C.

3

Hi ,

thanks for you reply .

i have already correct the line on filebeat.yml , the filebeat client work fine.

filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/lib/systemd/system/filebeat.service; disabled; vendor preset: enabled)
Active: active (running) since Thu 2020-02-27 17:43:49 CET; 18h ago
Docs: https://www.elastic.co/products/beats/filebeat
Main PID: 32381 (filebeat)
Tasks: 10 (limit: 4915)
CGroup: /system.slice/filebeat.service
└─32381 /usr/share/filebeat/bin/filebeat -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat

I still receive all line from syslog client, i would like to ship only error but the include_lines doesn't seem to work .

4

Could you provide your full configuration please?

5

now it work with the following config :slight_smile:
#=========================== Filebeat inputs =============================
logging.level: error
filebeat.inputs:

  • type: syslog
    protocol.tcp.host: "localhost:5000"
    processors:
  • drop_event.when.not.regexp.message: "error"

quick question how i can match multiple words for example ( "error","warning","Failure") .

i try :
processors:

  • drop_event.when.not.regexp.message: ['error','failure']
    but doesn't work .

thx

6

Hey.

Maybe you can use an or condition: https://www.elastic.co/guide/en/beats/filebeat/master/defining-processors.html#condition-or

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.