How to exclude paths from Filebeat inputs

Excluding unwanted log paths keeps Filebeat from ingesting rotated, compressed, or noisy files that create duplicates and waste resources. Cleaner harvesting reduces churn on outputs and keeps downstream searches and alerting focused on the logs that matter.

Each input expands the paths globs in /etc/filebeat/filebeat.yml into candidate files, then the filestream scanner decides which files are eligible to harvest. Exclusions are applied per input using regular expressions, so a broad glob like *.log* can still ignore specific extensions, backup naming conventions, or entire directories.

Patterns are matched against the full file path and use Go-style regular expressions, so features like lookaround are not supported and overly broad matches can silently drop important logs. For filestream inputs, configure exclusions with prospector.scanner.exclude_files (the legacy log input uses exclude_files), then validate configuration before restarting the service to apply changes.

Steps to exclude paths from Filebeat inputs:

Open the Filebeat configuration file.
```
$ sudo nano /etc/filebeat/filebeat.yml
```

Add file exclusion patterns to the relevant input.

filebeat.inputs:
  - type: filestream
    id: system-logs
    enabled: true
    paths:
      - /var/log/*.log*
    prospector.scanner.exclude_files: ['\.gz$', '\.1$']

Overly broad patterns prevent events from being shipped, so keep exclusions narrow and anchor absolute paths with ^.

Test the configuration for errors.
```
$ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK
```
Related: How to test a Filebeat configuration
Restart the Filebeat service to apply the exclusions.
```
$ sudo systemctl restart filebeat
```
Related: How to manage the Filebeat service with systemctl in Linux

Check recent Filebeat logs for input activity.

$ sudo journalctl --unit=filebeat --no-pager --lines=30
Jan 06 22:16:17 host filebeat[7745]: {"log.level":"info","@timestamp":"2026-01-06T22:16:17.698Z","log.logger":"crawler","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/beater.(*crawler).Start","file.name":"beater/crawler.go","file.line":111},"message":"Loading and starting Inputs completed. Enabled inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
Jan 06 22:16:17 host filebeat[7745]: {"log.level":"info","@timestamp":"2026-01-06T22:16:17.698Z","log.logger":"input.filestream","log.origin":{"function":"github.com/elastic/beats/v7/filebeat/input/v2/compat.(*runner).Start.func1","file.name":"compat/compat.go","file.line":141},"message":"Input 'filestream' starting","service.name":"filebeat","id":"system-logs","ecs.version":"1.6.0"}
##### snipped #####

Enable debug logging temporarily when excluded paths are not obvious in the default logs.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.