I'm using wazuh kibana plugin and using filebeat to ship alerts to elasticsearch. Filebeat stop indexing data to wazuh-alerts index daily at midnight. I will be able to see new data only after restarting filebeat and it will start indexing data till midnight 12:00 AM, again I need to restart filebeat to get the data indexed to eleasticsearch. I can see that old alerts.json files are moved to archive folder by wazuh logrotate and newly created alerts.json file got new inode number. How to fix this issue without restartiing filebeat, I coudn't find any erros in elasticseatch and filebeat logs.
Hi!
It could be an issue with log rotation. Can you check https://www.elastic.co/guide/en/beats/filebeat/current/file-log-rotation.html and properly configure your Filebeat so as to handle log rotation?
C.
I have done like that in the doc but no change. Is this relevant in this scenario https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-log.html#filebeat-input-log-close-timeout
Can you run Filebeat in debug mode and and share the logs in order to check the flow and why filebeat stops shipping?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.