Journabeat (7.6) processors is ignored [Solved]

LaraSlim · May 5, 2020, 11:22am

Journalbeat installation on Linux with default configuration. Output is configured to external Logstash.
Everything works fine except drop_event processors.
Changes applied to journalbeat.yml:

#================================ Processors =====================================

# Configure processors to enhance or manipulate events generated by the beat.

processors:
  - add_host_metadata: ~
 #- add_cloud_metadata: ~
 #- add_docker_metadata: ~
# This processor should drop events created by jorunalbeat.
processors:
  - drop_event:
      when:
        equals:
        # process.name: "journalbeat"
          systemd.unit: "journalbeat.service"

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
logging.level: warning

Using different syntax doesn't help:

- drop_event.when.equals.process.name: "journalbeat"
- drop_event.when.equals.systemd.unit: "journalbeat.service"

Can anyone chime in on why the drop_event process is completely ignored and journalbeat log messages arrive to Logstash regardless the field and name used in the condition?

Thank you in advance,
Lara

LaraSlim · May 6, 2020, 7:35am

It turns out that having several processors in the configuration is not supported.
Solved it with moving all rules under a single processors group.

Topic		Replies	Views
Unable to drop events Beats winlogbeat	6	986	June 28, 2018
Drop_event processor doesn't work Beats	2	460	November 29, 2019
Filebeat drop_event Beats filebeat	2	3921	July 5, 2017
Drop event processor not working on Filebeat Beats filebeat	5	462	August 30, 2023
Auditbeat processor ignores drop_event Beats auditbeat	4	554	February 22, 2022

Journabeat (7.6) processors is ignored [Solved]

Related topics