Develop Reference

Filebeat: How to remove log if some key or value exist?

filebeat version 7.17.3
i have 3 different logs for example
{"level":"debug","message":"Start proxy checking","module":"proxy","timestamp":"2022-05-18 23:22:15 +0200"}
{"level":"info","message":"Attempt to get proxy","module":"proxy","timestamp":"2022-05-18 23:22:17 +0200"}
{"campaign":"18","level":"warn","message":"Missed or empty list","module":"loader","session":"pYpifim","timestamp":"2022-05-18 23:27:46 +0200"}
how is it possible to not provide/filter out the log to logstash or elasticsearch if level is equal "info"
how is it possible to not provide/filter out the log to logstash or elasticsearch if key campaign does not exist?
in FileBeat i have following
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
- decode_json_fields:
fields: ["message"]
process_array: false
max_depth: 1
target: ""
overwrite_keys: true
add_error_key: true
- drop_fields:
fields: ["agent", "host", "log", "ecs", "input", "location"]
but with drop_fields i can remove some field and i need to not save completely log if key or value are exist!
in Logstash to delete those events is no problem - see below, but how to do this in filebeats?
/etc/logstash/conf.d/40-filebeat-to-logstash.conf
input {
beats {
port => 5044
include_codec_tag => false
}
}
filter {
if "Start proxy checking" in [message] {
drop { }
}
if "Attempt to get proxy" in [message] {
drop { }
}
}
output {
elasticsearch {
hosts => ["http://xxx.xxx.xxx.xxx:9200"]
# index => "myindex"
index => "%{[#metadata][beat]}-%{[#metadata][version]}-%{+yyyy.MM.dd}"
}
}
Thank you in Advance

in filebeat there is drop events processor,
processors:
- drop_event:
when:
condition
https://www.elastic.co/guide/en/beats/filebeat/7.17/drop-event.html

Tags in logstash

How to direct postfix logs to index postfix ?
In logstash config
input {
beats {
port => 5044
}
}
filter {
grok {
}
}
output {
if "postfix" in [tags]{
elasticsearch {
hosts => "localhost:9200"
index => "postfix-%{+YYYY.MM.dd}"
}
}
}
In filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/maillog*
exclude_files: [".gz$"]
tags: ["postfix"]
output.logstash:
hosts: ["10.50.11.8:5044"]
In the log logstash a lot
[WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"newrelicdata", :_type=>"_doc", :routing=>nil}, #<LogStash::Event:0x4ceb504a>], :response=>{"index"=>{"_index"=>"newrelicdata", "_type"=>"_doc", "_id"=>"V7x2z20Bp3jq-MOqpNbt", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [host] of type [text] in document with id 'V7x2z20Bp3jq-MOqpNbt'. Preview of field's value: '{name=mail.domain.com}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:521"}}}}}
Why date from mail.domain.com try to get not in index postfix ? And the data is trying to get into all the indexes ? Any help

I think the logs contain field name "host", so it's throwing an error as "failed to parse field [host] of type [text]"
mutate {
rename => ["host", "server"]
convert => {"server" => "string"}
}

As I tried sending the logs with the below filebeat.yml configurations,
filebeat.inputs:
- type: log
enabled: true
paths:
- /home/varsha/ELK7.4/logs/*.log
tags: ["postfix"]
output.logstash:
hosts: ["localhost:5044"]
By the above configurations and the files you have shared with me are working fine and got the expected result, please check it in https://pastebin.com/f6e0E52S

ELK | Log file grok filtered format not pushing into elastic search

I have log file having below format to extract into elastic search, but logstash filtered data not pushing into elastic search.
Same grok filtered configuration am able to get it from kibana devtools
Sample logfile:
OCDE - 2019-05-22 13:24:34.000 ERROR org.ramyam.ocde.task.NBALookupTask.checkResponsesToBeProcessed - checkResponsesToBeProcessed started : Wed May 22 13:24:34 IST 2019
Filebeat configuration:
filebeat.inputs:
- type: log
enabled: true
paths:
- C:\data\logs\OCDE.log
document_type: ocde
logstash configuration:
input {
file {
type => "ocde"
path => "C:\data\logs\OCDE.log"
}
beats {
port => 5044
ssl => false
}
}
filter {
grok {
match => [ "message" ,'%{DATA:moduleName} - %{TIMESTAMP_ISO8601:loggerTime}\s+%{LOGLEVEL:level}\s+%{JAVACLASS:className}\.%{DATA:methodName} - %{GREEDYDATA:loggermsg}}']
}
}
output {
if [type]=="ocde"
{
elasticsearch
{
hosts => ["localhost:9200"]
#manage_template => false
index => "enliven_be_log_yyyymmdd"
document_type=> ocde
}
}
}
I am expecting below result from an above configuration in elastic search
{
"level": "ERROR",
"loggerTime": "2019-05-22 13:24:34.000",
"moduleName": "OCDE",
"methodName": "checkResponsesToBeProcessed",
"className": "org.ramyam.ocde.task.NBALookupTask",
"loggermsg": "checkResponsesToBeProcessed started : Wed May 22 13:24:34 IST 2019"
}
Can anyone please explain or share sample configuration what I am missing

You can try below grok pattern -
%{DATA:moduleName}%{SPACE}*-%{SPACE}*%{TIMESTAMP_ISO8601:loggerTime}%{SPACE}*%{LOGLEVEL:level}%{SPACE}*%{JAVACLASS:className}\.%{DATA:methodName}%{SPACE}*-%{SPACE}*%{GREEDYDATA:loggermsg}

Change your grok from:
%{DATA:moduleName} - %{TIMESTAMP_ISO8601:loggerTime}\s+%{LOGLEVEL:level}\s+%{JAVACLASS:className}\.%{DATA:methodName} - %{GREEDYDATA:loggermsg}}
to:
%{DATA:moduleName} - %{TIMESTAMP_ISO8601:loggerTime}\s+%{LOGLEVEL:level}\s+%{JAVACLASS:className}\.%{DATA:methodName} - %{GREEDYDATA:loggermsg}
To validate this, use http://grokdebug.herokuapp.com/ and paste the log message you provided into the "
Your pattern works fine, you just had one extra bracket at the end.

How to use the index specified in Filebeat in logstash.yml?

I am using Filebeat to send log files over to my Logstash with the following configurations:
filebeat.inputs:
- type: log
enabled: true
paths:
- ${PWD}/filebeat-volume/data/*.txt
output.logstash:
enabled: true
hosts: ["elk:5044"]
index: "custom-index"
setup.kibana:
host: "localhost:5601"
and
input {
beats {
port => "5044"
}
}
output {
elasticsearch {
hosts => [ "localhost:9200" ]
index => "<WHAT SHOULD GO HERE???>"
}
}
In filebeat.yml, I am specifying an index ("custom index"). How can I set the same index in my logstash.yml to be sent to Elasticsearch?

I see what you want now, you should set Logstash with below output configuration, this way it will pass the index set in filebeat to Elasticsearch.
output {
elasticsearch {
hosts => [ "localhost:9200" ]
index => "%{[#metadata][beat]}"
}
}
Point 2 in this example

What is the pattern to match complete input in Logstash?

I am using ELK stack with filebeat.
filebeat.conf
filebeat:
prospectors:
-
paths:
- /home/ubuntu/logs_*
input_type: log
output:
logstash:
hosts: [${LOGSTASH_PORT_5044_TCP_ADDR}]
index: filebeat
console:
pretty: true
This is passing logs from a file logs_test
A sample log
{"name":"test","statusCode":0,"deployment":"production","hostname":"ip-random-address","level":30,"jobName":"testJob","date":"2016-07-18T03:15:02.075Z","jobType":"script","msg":"","time":"2016-07-18T03:15:02.076Z","v":0}
I want to make a HTTP call to an external URL when the field statusCode is 1
The entire log object is being passed to logstash.
My logstash config
input {
beats {
port => 5044
codec => "json"
}
}
output {
if ([statusCode] and [statusCode] == 1) {
http {
format=>"message"
http_method=>"post"
url=>"http://www.example.com"
message=>'{"text": "%{some_pattern_matcher}"}'
}
}
}
[Question] What should the "some_pattern_matcher" be to send all fields to HTTP request.
PS: %{mesage} does not work.

input {
beats {
port => 5044
codec => "json"
}
}
filter{
grok{
match => { "message" => "%{GREEDYDATA:data}" }
}
}
output {
if ([statusCode] and [statusCode] == 1) {
http {
format=>"message"
http_method=>"post"
url=>"http://www.example.com"
message=> %{data}
}
}
}
I haven't tried it out. So try this one and let me know if this solution works. If not please post the error(s) you got.