K
Q

Question

How to constrain Filebeat to only ship logs to ELK if they contain a specific field?

4/1/2019

I’m trying to collect logs from Kubernetes nodes using Filebeat and ONLY ship them to ELK IF the logs originate from a specific Kubernetes Namespace.

So far I’ve discovered that you can define Processors which I think accomplish this. However, no matter what I do I can not get the shipped logs to be constrained. Does this look right?

Hm, does this look correct then?

filebeat.config:
  inputs:
    path: ${path.config}/inputs.d/*.yml
    reload.enabled: true
    reload.period: 10s
    when.contains:
      kubernetes.namespace: "NAMESPACE"
  modules:
    path: ${path.config}/modules.d/*.yml
    reload.enabled: false
  processors:
    - add_kubernetes_metadata:
      namespace: "NAMESPACE"
xpack.monitoring.enabled: true
output.elasticsearch:
  hosts: ['elasticsearch:9200']

Despite this configuration I still get logs from all of the namespaces.

Filebeat is running as a DaemonSet on Kubernetes. Here is an example of an expanded log entry: https://i.imgur.com/xfTwbhl.png

-- TJ Zimmerman

elastic-stack

elasticsearch

filebeat

kubernetes

2 Answers

4/2/2019

In the end, I resolved this by moving the drop processor to the input configuration file from the configuration file.

-- TJ Zimmerman

Source: StackOverflow

4/2/2019

You have number options to do it:

Filter data by filebeat

processors:
 - drop_event:
     when:
        contains:
           source: "field"

Use ingest pipeline into elasticsearch:

output.elasticsearch:
  hosts: ["localhost:9200"]
  pipeline: my_pipeline_id

And then test events into pipeline:

{
  "drop": {
    "if" : "ctx['field'] == null "
  }
}

Use drop filter of logstash:

filter {
  if ![field] {
    drop { }
  }
}

-- ozlevka

Source: StackOverflow

KQ

How to constrain Filebeat to only ship logs to ELK if they contain a specific field?

Similar Questions

2 Answers

K
Q