Filebeat to ignore already existing content only for the first time

I am planning to have filebeat deployed in production where the log files are already huge in size and will be backed up only after it reaches 300MB. I am running filebeat as a windows service in my windows 2012 server. Is there a way to tell filebeat, that on fresh installation ships only the new logs that is written after installation. Also, if the filebeat service is restarted it should retain the state and ship the content between that have been inserted into the log file during the restart.

You could use the option tail_files in your prospector/input configuration.

# Setting tail_files to true means filebeat starts reading new files at the end
# instead of the beginning. If this is used in combination with log rotation
# this can mean that the first entries of a new file are skipped.
#tail_files: false

What if filebeat service is restarted, will it ship the logs that got into the log file during the service restart. Also, on periodic basis the log files will be backed up with another name and new file with name same as previous one will be created and logs will be written to this file. Will filebeat monitor the new files as well with the tail_files settings set to true?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.