Ignore registry after a reboot

sajjad · October 22, 2018, 7:33pm

I am running Filebeat 6.2.2 on a bunch of systems to forward to Logstash and facing an issue when one of them has a problem and reboots. After the reboot, Filebeat ingests all the logs and eats up system resources, while also increasing the load on Logstash.

How do I tell Filebeat to ignore all previous data, and start reading only from the current time after a reboot?

Here is my configuration:

filebeat.prospectors:
- type: log
  enabled: true
  paths:
    - /var/log/*.log
  close_inactive: 10m
  close_renamed: true
  close_timeout: 5m

steffens · October 23, 2018, 10:54am

See tail_files settings documentation. This setting, plus deleting the registry file between restart might give the wanted result. It's somewhat unsafe, though, as you might send incomplete (unparsable) contents to Logstash if filebeat starts reading in the middle of a line.

sajjad · October 23, 2018, 7:26pm

Thank you. That was exactly what I was looking for.

system · November 20, 2018, 7:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
FIlebeat doesn't reparse logs Beats filebeat	11	2855	July 5, 2017
Filebeat beta1 resends random data upon every restart (registry file not updated properly?) Beats filebeat	14	2246	October 20, 2016
Filebeat extremely slow startup for large number of files Beats filebeat	1	1827	August 7, 2020
Filebeat Registry - Will I get duplicates if I delete Beats filebeat	3	1824	May 21, 2020
Force Read few files from start when filebeat restarts Beats filebeat	3	375	March 7, 2021

Ignore registry after a reboot

Related topics