I have filebeats reading the log files on a remote server and shipping it to logstash on the same server. I have tried deleting the last 6 months old indices but I have noticed that indices are recreated on the elastic search. Can you correct me where i'm doing wrong I went with the default configuration. Thanks
paths:
#- /var/log/*.log
- \\webserver10\iislogs\*.log
output.logstash:
# Boolean flag to enable or disable the output module.
#enabled: true
# The Logstash hosts
hosts: ["localhost:5044"]
# Number of workers per Logstash host.
#worker: 1
seems filebeat still reading logs from the path sending to logstash. and logstash reading logs and pushing them to index iis_logs-* . make sure no filebeat is sending logs to logstash.
I notice from the filebeats registry that filebeats is re-reading the old untouched log files and shipping it to logstash. Is there any config setting which stop filebeats in re-reading the logs or stop shipping old log files to logstash?
ignore_older: 3h
This you can use to ignore older files. Moreover you can change your registry file if you are sure filebeat pushing logs from old registry with:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.