Hi,
I am trying to use winlogbeat and Logstash. How does Logstash keep track of winlogbeat events if Logstash is restarted?
Thanks
Could you clarify what you mean by "keep track of"?
Logstash doesn't keep track of anything related to Winlogbeat when restarted. Winlogbeat sends events to Logstash and when Logstash has written the event to its in-memory queue it sends and ACK to Winlogbeat. After Winlogbeat receives the ACK it considers the event to have been successfully delivered and it will persist information about the last successful event to disk. This allows Winlogbeat to restart and resume from the last known read position.
If Logstash is restarted while there are events stored in the in-memory queue those events are lost. That's why Logstash has persistent queues that persist the events to disk before sending the ACK back to Winlogbeat. If you enable the persistent queue feature then on restart you can be sure that no events will be lost.
Thanks Andrew. What if I want to migrate from running Logstash from command line to Running Logstash as a service?
It should just be a matter of putting the config file(s) in /etc/logstash/conf.d and starting the service.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.