Filebeat IIS logs not sending all logs - how can I troubleshoot?

Brett_Larson · November 16, 2018, 2:28pm

Hello,
We are in the process of moving from OMS to Elastic using the managed cloud. I have setup filebeat and the IIS module however i'm not seeing that logs are ingested at the same rate they are in OMS. There is in fact a huge discrepancy (around 4-5%) and i'm wondering how I can troubleshoot this further.

Below are the time periods and the log count for a specific computer, although this issue is occurring on multiple servers.

These are server 2012 R2 servers and they are having the issue when using both the 6.4.2 agents and the 6.5.0 agents.

4 hours
OMS - 436,972
Elastic - 18,400

24 hours
OMS - 3,309,979
Elastic - 181,488

1 week
OMS - 33,375,125
Elastic - 1,743,939

30 days
OMS - 78,333,426
Elastic - 8,997,271

Thank you!

Brett_Larson · November 20, 2018, 5:51am

Just an update to answer my own question..

I believe the issue was that there were too many logs for the filebeat agent to deal with.. after waiting a few days it appears that it has finally caught up and the logs are processing successfully at least at the 4 hour time window between OMS and Elastic.

system · December 18, 2018, 5:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.