I found that my busiest index was a logs-elastic_agent.filebeat-default index, so I looked into what was being sent. I found a simple custom logs (filebeat) agent that was sending at debug level. Over 8 million events to the cloud that I don't really need...
I found "Collect agent logs" in settings, but no way to change the log level?
Is there a way to change it? Why did it get set to debug on a single system?
Are your agents Fleet Managed or Standalone Agents?
Which version are you using?
If I'm not wrong the default log level is info, for it to be running with debug someone may have changed it manually.
Fleet managed, Elastic cloud, 8.15.3.
It could be info, maybe not debug, I was using the log viewer in Fleet and selecting the level filters, I had never used it before
IMHO, info is too chatty to send to the cloud. I found a second host, so over 24 hours, I ingested 16 million lines of basically "end of file reached".
If info is the default, is there a way in Fleet to change it?
Thanks
In 8.15 you can change it direct in the policy settings:
This is a policy setting, but I think that setting it in individual agents will override the configuration from the policy.
You can change it per agent going into the agents page > logs
I don't see that line on the agents page. I go to All Agents, click on the desired host, then should be at what you are calling the agents page?
Click on the desired host and then on the Logs tab, there are three tabs Agent details, Logs and Diagnostics.
In mine, that just filters the view of the logs
But fleet filtering local_metadata.elastic.agent.log_level : debug
shows my two problem hosts.
It is in the end of that page on the left side.
I do not collect agent logs, but this is how it shows up on mine.
Is you can see, there is the option in the left botton corner.
Good grief, that is the most non-intuitive location for an updateable field that I've ever seen, below scrollable logs....
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
