Filebeat high disk usage when reboot server. How fix it?

Elastic Stack Beats
1

Hi all!
Filebeat on server send many events from logs of exchange (windows) server to logstash.
When we reboot server filebeat make high disk usage. Other services can't load for a long time.
How can i fix it? Thank you

my config:

setup.ilm.enabled: false
setup.template.name: "exchange"
setup.template.pattern: "exchange*"
setup.template.overwrite: true
setup.template.settings:
  index.number_of_shards: 3
  index.number_of_replicas: 0
tags: ["exchange-transport"]
output.logstash:
  ssl.enabled: true
  hosts: ["elk-server:5044"]
  index: "exchange-%{+YYYY.MM.dd}"
logging.level: info
logging.to_files: true
logging.files:
  path: C:\Program Files\Filebeat\logs
  name: Filebeat.log
  keepfiles: 7
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG
  exclude_lines: ["^#"]
  document_type: exchange           
  ignore_older: 47h  
  fields:
    type: exchange
  fields_under_root: true
2

Can you elaborate more on this please. What do you mean, how are you seeing this, how do you know it's Filebeat?

3

I see this in resource monitor:

image
image1176×799 55.8 KB

4

How many files are there in that directory?

5

This folder has a lot of log files, more than 19 thousand

6

Are they all new files, or are they old ones that have been processed before?

If they are old ones, you may want to look at things like ignore_older and close_inactive.

7

@warkolm
This is all old, on good need to read only for the last day

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.