Skip to content

Commit

Permalink
Modify zeek's logstash pipeline to drop event from logs name that con…
Browse files Browse the repository at this point in the history 
…tain date like conn.2020_01_16_14_00_00.log

Thanks to @rsatrio, see #221.

Will be included in v6.4.1 release.
  • Loading branch information
@mmguero
mmguero committed Nov 3, 2022
1 parent bfd7fa8 commit 9bed8ee
Showing 1 changed file with 4 additions and 3 deletions.
7 changes: 4 additions & 3 deletions logstash/pipelines/zeek/11_zeek_logs.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4313,9 +4313,10 @@ filter {

} else {

if ([log_source] =~ /\.\d{4}-\d{2}-\d{2}-\d{2}-\d{2}-\d{2}$/) {
# filebeat caught a file right in the middle of being renamed/moved (ie., renamed from conn.log to
# conn.2020-01-16-14-00-00.log). this has actually already been processed, so ignore this event.
if ([log_source] =~ /\.\d{4}[_:-]?\d{2}[_:-]?\d{2}[_:-]?\d{2}[_:-]?\d{2}[_:-]?\d{2}$/) {
# filebeat caught a file right in the middle of being renamed/moved
# (ie., renamed from conn.log to conn.2020-01-16-14-00-00.log or conn.2020_01_16_14_00_00.log).
# this has actually already been processed, so ignore this event.
drop { id => "drop_renamed_logfile" }

} else {
Expand Down

0 comments on commit 9bed8ee

Please sign in to comment.