[collector][filebeat] lines to exclude using multiple regexp

Hello,

I’m trying to use multiple regexp to exclude lines from logs sent by collector/filebeat.
In the web interface, I entered regexps in the format:
[’.test.domain.foo.bar.’, ‘.test.domain.foo.com.’, …]

In the resulting generated Filebeat log, I have my regexp under lines to exclude w/ one line per regexp (lines are dns.json from suricata):

Problem is that matching lines still get sent to Graylog.

Anyone with an idea or exact syntax to use it?

Hi,
your syntax looks fine to me. Maybe the pattern doesn’t match the log messages you want to exclude?

I would try it with ['.*test.domain.foo.bar.*'] instead. Further readings can be found here:

https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html#exclude-lines

and

https://www.elastic.co/guide/en/beats/filebeat/current/regexp-support.html

Cheers,
Marius

Hi Marius,

Just made a copy/paste error when posting my initial message, didn’t saw that your platform is escaping them :slight_smile: My regexp are indeed in the form like you propose:

  • .*test\.domain-1\.foo\.bar.*

Validated then in Go against full message and they are correct. Just upgraded to collector 0.1.1, will try to see if it changes anything.

Ok, problem is in fact only on domains with dash ‘-’ in them that do not get filtered using:

  • .*test.domain-1.foo.bar.*
  • .*test.domain\-1.foo.bar.*
  • .*test.domain.*foo.bar.*