K
Q

Filebeat on kubernetes - excluding namespaces doesn't work

2/14/2019

I have a filebeat outside of the kubernetes cluster, installed as an application on the host. I want to ignore two namespaces in filebeat, since they are very large and I don't need them within elastichsearch.

Here is my input definition in filebeat.yml:

- type: log
  enabled: true
  paths:
    - /var/lib/docker/containers/*/*.log
  json.message_key: log
  json.keys_under_root: true
  processors:
    - add_kubernetes_metadata:
        in_cluster: false
        host: main-backend
        kube_config: /etc/kubernetes/admin.conf
    - drop_event.when.regexp:
        or:
          - kubernetes.namespace: "kube-system"
          - kubernetes.namespace: "monitoring"

However, I still see a lot of log from those namespaces within my elasticsearch. Is there any way to debug it why is it happening?

-- Djent
elasticsearch
filebeat
kubernetes

Similar Questions

How to setup kubernetes nginx ingress without load balancer?
Spring boot actuator health check in Openshift/Kubernetes
Helm error : Error: the server has asked for the client to provide credentials
How do you output the node_port value with Terraform's kubernetes_service?
Implement Dask workers on Kubernetes overriding default values

1 Answer

2/14/2019

Can you try as given below

- drop_event:
          when:
            or:
            - not:
                equals:
                  kubernetes.namespace: "kube-system"
            - not:
                equals:
                  kubernetes.namespace: "monitoring"
            - regexp:
                kubernetes.pod.name: "filebeat-*"
            - regexp:
                kubernetes.pod.name: "elasticsearch-*"
-- P Ekambaram
Source: StackOverflow