Hey team,
We're using Filebeats 7.11.1 (via a Graylog sidecar installation) to send logs from a Windows server to Graylog. However, our current configuration is shipping logs that are months or a year old, despite our server only receiving daily/weekly logs. As a result, Filebeats isn't capturing most of our daily logs. Here's the configuration:
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["192.168.1.1:514"]
path:
data: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar\\cache\\filebeat"}\data
logs: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar"}\logs
tags:
- windows
filebeat.inputs:
- type: log
enabled: true
paths:
- D:\path\to\logs\*\*\*\*\*\*\*.log
- D:\path\to\otherlogs\1\2\3\*\*\*.log
- D:\path\to\otherlogs\*\*\*\*\*\*\*\*.log
When adding the following flags, Filebeats stops working. We only want to ship logs written within the past 2 weeks:
scan_frequency: 60s
close_inactive: 336h
ignore_older: 337h
Apologies if this has been answered somewhere else. I'm new to filebeats and have tried finding the answer to no resolve. Thanks!