maybe some more details here are interesting for you. Maybe I do not really have a problem at all.
Our application has a problem, if it needs to append to a log > 4GB when starting. If the application is already running and then it gets over the 4GB limit, there is no problem.
So our workaround is to rename the old log, then the application is creating a new logfile, which will be sipped to logstash.
I need to prevent filebeat to ship the renamed file to logstash, because the data is aready in elasticsearch.
Or do I not need to worry about it? In the past we always managaed to rename to *.log_, so it did not match the pattern at all, but I would like to build a waterproof setup.
symlinking may be possible, but I think we will stay on the order to rename by adding a suffix to the logfile name which is not matching the pattern.