Journalbeat and Filebeat store the same messages, how should that be handled?

jerrac · April 29, 2020, 8:37pm

Journald and syslog can contain the exact same data at times.

For example, running ansible generates lots of "echo BECOME-SUCCESS-< random string >" messages. I can find the exact same messages in both my journalbeat-* and filebeat-* indexes.

What strategies do you use to deal with that kind of duplication?

Do you watch for it, then tell filebeat or journalbeat to drop events that the other one covers?

Does journald contain all the information syslog would, so we could just ignore syslog?

Any other ideas?

jerrac · May 7, 2020, 7:15pm

Just a little bump.

system · June 4, 2020, 9:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat events in syslog despite setting to_syslog: false Beats filebeat	5	1083	October 10, 2016
Journalbeat - ship from journald to ELK Beats beats-development	12	18383	July 5, 2017
Filebeat and journald? Beats filebeat	3	7740	July 5, 2017
Duplicate messages created by Journalbeat 6.7.1-1 Beats journalbeat	7	1319	November 4, 2022
Nasty feedback loop for syslog, if filebeat index is unavailable Beats filebeat	1	252	April 5, 2021

Journalbeat and Filebeat store the same messages, how should that be handled?

Related topics