Ignore registry after a reboot

sajjad · October 22, 2018, 7:33pm

I am running Filebeat 6.2.2 on a bunch of systems to forward to Logstash and facing an issue when one of them has a problem and reboots. After the reboot, Filebeat ingests all the logs and eats up system resources, while also increasing the load on Logstash.

How do I tell Filebeat to ignore all previous data, and start reading only from the current time after a reboot?

Here is my configuration:

filebeat.prospectors:
- type: log
  enabled: true
  paths:
    - /var/log/*.log
  close_inactive: 10m
  close_renamed: true
  close_timeout: 5m

steffens · October 23, 2018, 10:54am

See tail_files settings documentation. This setting, plus deleting the registry file between restart might give the wanted result. It's somewhat unsafe, though, as you might send incomplete (unparsable) contents to Logstash if filebeat starts reading in the middle of a line.

sajjad · October 23, 2018, 7:26pm

Thank you. That was exactly what I was looking for.

system · November 20, 2018, 7:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.