Our filebeat does not stop quickly after changing it to use the 'type: filestream', we used 'type: log' before and it stopped immediately.
We stop filebeat by sending it a -TERM, using
pkill -TERM filebeat
It normally stops gracefully but typically takes 50+ seconds, and sometimes a lot more. It varies by server how long it takes to stop. It is also slow to stop for semi-idle test-servers.
this is our config:
###################### Filebeat v9 Configuration #########################
filebeat.inputs:
- type: filestream
id: apache-access
tags: ["apache", "apache-access"]
enabled: true
paths:
- "/var/log/apache2/*access.log*"
- "/var/log/bnr-elasticsearch-backfill/apache2/*access.log*"
prospector.scanner.exclude_files: ['\.gz$']
close.on_state_change.inactive: 5m
take_over:
enabled: true
file_identity.native: ~
- type: filestream
id: apache-error
tags: ["apache", "apache-error"]
enabled: true
paths:
- "/var/log/apache2/error.log*"
- "/var/log/bnr-elasticsearch-backfill/apache2/error.log*"
prospector.scanner.exclude_files: ['\.gz$']
close.on_state_change.inactive: 5m
take_over:
enabled: true
file_identity.native: ~
- type: filestream
id: apache-mpm-event
tags: ["apache", "apache-mpm-event"]
enabled: true
paths:
- "/var/log/apache2/mpm-event-error.log*"
- "/var/log/bnr-elasticsearch-backfill/apache2/mpm-event-error.log*"
prospector.scanner.exclude_files: ['\.gz$']
close.on_state_change.inactive: 5m
take_over:
enabled: true
file_identity.native: ~
- type: filestream
id: wildfly-server
tags: ["wildfly"]
enabled: true
paths:
- "/opt/wildfly/standalone/log/server.log"
- "/var/log/bnr-elasticsearch-backfill/wildfly/*server.log*"
parsers:
- multiline:
type: pattern
# Matches timestamp start '2025-09-23 00:00:00,001 ' both milli and micro precision
pattern: '^20\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d,\d+\s'
negate: true
match: after
close.on_state_change.inactive: 5m
take_over:
enabled: true
file_identity.native: ~
- type: filestream
id: wildfly-apps
enabled: true
paths:
# main-trace.log files
- /var/log/bnr-services/*/main-trace.log
- /var/log/bnr-services/*/20??-??/main-trace.log
- /var/log/wildfly/*/main-trace.log
- /var/log/wildfly/*/20??-??/main-trace*.log
- /var/log/wildfly/internet-booking/app.log
- /var/log/wildfly/internet-booking/20??-??/app*.log
# For performance tests of filebeat etc. Are mapped to index test which can be deleted manually without losing prod-data. The test-indexes are auto-deleted daily via maintenance job
- /var/log/wildfly/test/*.log
# Grab everything here, so if we lost info-error we can load main-info.log
- /var/log/bnr-elasticsearch-backfill/wildfly/*/*.log
parsers:
- multiline:
type: pattern
pattern: '^20\d\d-\d\d-\d\d'
negate: true
match: after
max_lines: 100000
timeout: 5s
# filestream does not use multiline.max_bytes.
# Keep the default message safety limits unless you have a verified need to tune them.
close.on_state_change.inactive: 5m
take_over:
enabled: true
file_identity.native: ~
#============================== Processors =====================================
processors:
# Set host.name from hostname on system, instead of using the name from this Filebeat
- add_host_metadata:
replace_fields: true
# only keep host.name.
- drop_fields:
fields:
- host.architecture
- host.containerized
- host.id
- host.ip
- host.mac
- host.os
- host.hostname
ignore_missing: true
#============================== Output =====================================
output.logstash:
bulk_max_size: 5000
hosts: ["localhost:5044"]
#============================== Logging =====================================
logging.to_files: true
logging.files:
path: /var/log
name: filebeat.log
keepfiles: 7
permissions: 0644
logging.level: info
logging.metrics.enabled: false
#============================== Beat Monitoring =====================================
http.enabled: true
http.host: 0.0.0.0
http.port: 5066
monitoring.cluster_uuid: "removed"