We have our servers located geographically at remote places (where the internet is not as reliable) the Filebeat shipper is responsible to ship the logs to our ELK via KAFKA -> LOGSTASH -> ELASTIC
The thing I'm unable to find from filebeat.conf is what is the expected behaviour of the Filebeat when the internet is not available does it retry the same, or is there a max attempt last?
Also,
Given the internet is not available (for days) does Filebeat store the stuff(which it could not send now) somewhere other than the actual logs file Bcoz I'm sceptical that logrotate would be rotating the file which would result in Filebeat missing on sending those log events to ELK
Filebeat is meant to ship data out of the host as quickly as possible, so storing data locally for a few days is unusual.
I don't know the size of your log files, but if you don't have internet access for a few days, when Filebeat regains access there will be a burst of events being sent to Kafka, so keep that in mind.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.