Journalbeat and Filebeat store the same messages, how should that be handled?

Journald and syslog can contain the exact same data at times.

For example, running ansible generates lots of "echo BECOME-SUCCESS-< random string >" messages. I can find the exact same messages in both my journalbeat-* and filebeat-* indexes.

What strategies do you use to deal with that kind of duplication?

Do you watch for it, then tell filebeat or journalbeat to drop events that the other one covers?

Does journald contain all the information syslog would, so we could just ignore syslog?

Any other ideas?

Just a little bump.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.