Ignore registry after a reboot

sajjad · October 22, 2018, 7:33pm

I am running Filebeat 6.2.2 on a bunch of systems to forward to Logstash and facing an issue when one of them has a problem and reboots. After the reboot, Filebeat ingests all the logs and eats up system resources, while also increasing the load on Logstash.

How do I tell Filebeat to ignore all previous data, and start reading only from the current time after a reboot?

Here is my configuration:

filebeat.prospectors:
- type: log
  enabled: true
  paths:
    - /var/log/*.log
  close_inactive: 10m
  close_renamed: true
  close_timeout: 5m

steffens · October 23, 2018, 10:54am

See tail_files settings documentation. This setting, plus deleting the registry file between restart might give the wanted result. It's somewhat unsafe, though, as you might send incomplete (unparsable) contents to Logstash if filebeat starts reading in the middle of a line.

sajjad · October 23, 2018, 7:26pm

Thank you. That was exactly what I was looking for.

Topic		Replies	Views
Filebeat does not process any files after restart Beats filebeat	7	1668	September 15, 2021
Filebeat resends log files after restart Beats filebeat	8	2134	July 12, 2022
Filebeat filestream reads the files from last line after service restart Beats filebeat	4	353	October 8, 2024
Filebeat sending old logs on restart Beats filebeat	6	6040	July 5, 2017
Filebeat does not harvest files after a restart Beats filebeat	4	1428	January 8, 2019

Ignore registry after a reboot

Related topics