Posted by I’m updating my monitoring and preparing an article for this blog, and I got an interesting problem. Messages were parsed and sent to Elasticsearch but no way to drop events based on module’s input. My goal was to drop requests made by Kubernetes for the liveness/readyness check.
My example with Nginx:
- type: kubernetes
templates:
- condition:
- contains:
kubernetes.labels.k8s-app: nginx
config:
- module: nginx
access:
input:
type: container
paths:
- /var/log/containers/*-${data.kubernetes.container.id}.log
exclude_lines: ["^\\s+[\\-`('.|_]"]
processors:
- add_locale: ~
- drop_event.when.regexp.message: "kube-probe"
error:
input:
type: container
paths:
- /var/log/containers/*-${data.kubernetes.container.id}.log
exclude_lines: ["^\\s+[\\-`('.|_]"]I know it’s maybe not the safest way to process the logs but in case of problem the service will restart and the Filebeat Kubernetes module will detect it.