Graylog exclude option not working for my input

jaikumarkrishna · March 7, 2018, 9:54am

HI,

I am processing sql error log files . Below 2 lines are my input .

I want to ignore first line input format , it pickes secondline format data.
2018-03-07 15:05:01.90 Logon Error: 18456, Severity: 14, State: 7.
2018-03-07 15:05:01.90 Logon Login failed for user ‘usr’. Reason: An error occurred while evaluating the password. [CLIENT: 1.1.1.1]

So in collector filebeat configuration in exclude option i gave below regex. I dont thing any problem with regex.
^%{DATE} %{TIME}\s+Logon\s+Error:\s+[\d]+,\s+Severity:\s+[\d]+,\s+State:\s+[\d]+.

regex

, but still i am getting first line inputs. Please help me to resolve the issue. filebeat_config

Thanks,
Jay’

jan · March 7, 2018, 9:59am

Hej Jay

Graylog did not work with multiline Grok Pattern currently.

for reference: https://github.com/Graylog2/graylog2-server/issues/2465

jaikumarkrishna · March 7, 2018, 10:02am

Hi Jan,

Thanks for your reply.
Below lines are 2 different type of inputs ,all are single line format , I want to ignore first input and my collector ll pick second format. So i am using regex to achieve this. But its not excluding first format.

2018-03-07 15:05:01.90 Logon Error: 18456, Severity: 14, State: 7.
2018-03-07 15:05:01.90 Logon Login failed for user ‘usr’. Reason: An error occurred while valuating the password. [CLIENT: 1.1.1.1]

jan · March 7, 2018, 12:49pm

sorry misunderstood

Filebeat did not know GROK - you need to use full regex for that.

jaikumarkrishna · March 7, 2018, 12:51pm

Thanks Jan,

Let me try with regex.

jaikumarkrishna · March 8, 2018, 4:50am

HI Jan,
I given below regex to exclude
2018-03-07 15:05:01.90 Logon Error: 18456, Severity: 14, State: 7
^[\d]+-[\d]+-[\d]+\s+[\d]+:[\d]+:[\d]+.[\d]+\s+Logon\s+Error:\s+[\d]+,\s+Severity:\s+[\d]+,\s+State:\s+[\d]+
but its not excluding .
Thanks,
Jay’

system · March 22, 2018, 4:51am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.