We are using Filebeat to collect logs and I cannot by notice that we have a lot of unnecessary information collected with each log from Filebeat. Moreover many pieces of that information is duplicated within a single log entry.
The following meta fields provide the same information:
I assume some of the fields are sent from filebeat and some are added by Graylog based on that is sent from filebeat and the os how duplication is created.
rule "Remove redundant meta fields"
when
has_field("filebeat_log_offset")
then
remove_field("filebeat_log_offset");
remove_field("filebeat_input_type");
remove_field("filebeat_ecs_version");
remove_field("filebeat_agent_version");
remove_field("filebeat_agent_type");
remove_field("filebeat_agent_name");
remove_field("filebeat_agent_hostname");
remove_field("filebeat_@metadata_beat");
remove_field("filebeat_@metadata_version");
remove_field("filebeat_@timestamp");
remove_field("filebeat_@metadata_type");
end
But I still would love to know if it’s possible to configure filebeat to not send all data at all.