Filebeat loses first lines when file rotated

Alexander_A · March 14, 2023, 12:28pm

We have discovered that filebeat loses first lines when file rotated.
For example we use the following config to get auditbeat logs and when file rotated (auditbeat restarted) we see that first lines missing (written in first 10 seconds = scan_frequency).

- type: filestream
  id: auditbeat-logs
  enabled: true
  paths:
    - /var/log/auditbeat/auditbeat-*.ndjson

Seems like filebeat uses tail_files strategy and I'm wondering how we can change this behavior and force it to read new files from the beginning.

We have checked all options and read all topics and posts like Log rotation results in lost or duplicate events

This issue make filebeat not reliable solution.

system · April 11, 2023, 2:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat doesn't read file after rotation Beats filebeat	1	339	May 14, 2019
Filebeat: anything to know about rotating logfiles? Beats filebeat	3	476	September 27, 2019
Skip log rotation at service restart? Beats filebeat	5	355	December 20, 2018
Filebeat missed one complete log file in log rotation Beats filebeat	10	1446	May 17, 2017
Filebeat is losing events due to file rotate Beats filebeat	5	2484	July 1, 2016

Filebeat loses first lines when file rotated

Related topics