When you have a new version of the logstash.conf file, and the current system is running in a 'production' environment; what is the best method to replace the .conf file on logstash while minimizing data loss and downtime?
It would appear from the documentation that stopping logstash, swapping .conf files, restarting logstash is the main method?
Logstash only reads the configuration file upon startup, so you can replace the file first and then bounce the service. Make sure you run
logstash --configtest first so that you catch at least the most glaring configuration mistakes.
If you're running Logstash 1.4.x or older, keep in mind that stopping the service (implicitly done with a restart operation) doesn't ensure a clean shutdown, i.e. the message pipeline and sincedb files aren't flushed. You need to send a SIGINT signal for that to happen.