Filebeat/Metricbeat logs rotation

Hello everyone,

On my server, I've Filebeat and Metricbeat installed by RPM.

So I have folders in /etc for each product : /etc/metricbeat & /etc/filebeat.

My question is about the log rotation : I have searched in the process definition, in the yaml configuration file, in the logrotate.conf file, in logrotate.d
I'm still not able to find how my logs files are managed/purged/rotated.

In /var/log/metricbeat (or /var/log/filebeat), I have 7 files, the currently written log file, and 6 backlogs. Each of these 6 backlogs have a size of 10M.

Could you please tell me if there is settings where I can set how the logs must be managed ?

Best regards,
BiNaP.

Logging options can be customized using the following config options (e.g Filebeat). See more about the below options here: https://www.elastic.co/guide/en/beats/filebeat/current/configuration-logging.html

# Logging to rotating files. Set logging.to_files to false to disable logging to
# files.
logging.to_files: true
logging.files:
  # Configure the path where the logs are written. The default is the logs directory
  # under the home path (the binary location).
  #path: /var/log/filebeat

  # The name of the files where the logs are written to.
  #name: filebeat

  # Configure log file size limit. If limit is reached, log file will be
  # automatically rotated
  #rotateeverybytes: 10485760 # = 10MB

  # Number of rotated log files to keep. Oldest files will be deleted first.
  #keepfiles: 7

  # The permissions mask to apply when rotating log files. The default value is 0600.
  # Must be a valid Unix-style file permissions mask expressed in octal notation.
  #permissions: 0600

# Set to true to log messages in json format.
#logging.json: false

Thank you @kvch. It is, indeed, set where you suggest for my Filebeat installation.

I'll apply the same for Metricbeat, I assume it can be done as well as for Filebeat.

Yes, you can.

Thank you again, @kvch.

I think this topic can be closed.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.