When I use the filestream type instead of the log type, filebeat always reads the entire log file from the beginning.
- type: filestream
id: test_id
enable: true
paths:
- "/usr/share/filebeat/inputs.d/*.log"
parsers:
- multiline:
type: pattern
pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
negate: true
match: after
ignore_inactive: since_first_start
No matter of using since_first_start or since_last_start, it doesn't work.
But when I use log config type with tail_files:true, it works normally.
- type: log
paths:
- "/usr/share/filebeat/inputs.d/*.log"
multiline:
type: pattern
pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
negate: true
match: after
enable: true
tail_files: true
So my question is, how can I configure the filestream type so that filebeat doesn't read my log file from scratch?
Thanks to everyone who can solve it .