Increasing ignore_older value fails to ship additional events


I assume I'm missing something relatively basic here, but my search has yielded little. I'm using OSS agent version 7.0.1 on WIndows 7.

Following a successful install of winlogbeat which respects the "ignore_older" value of 72h set for dev purposes, I've increased the value in winlogbeat.yml to a more bulky 336h. My intention is to load the a useful amount of test data from existing hosts, but upon updating the yml file on the target hosts and restarting the service no additional events outside the original 72h period are shipped for indexing.

I suspected that the service might need to be rebuilt following the updates to the config. After updating the winlogbeats.yml file, stopping the winlogbeat service, performing un-installation, a host reboot and installation of the service using the included powershell scripts the host still fails to ship events within the new ignore_older timeframe.

Is this behavior typical, or am I missing something?

Appreciate any feedback.

That's the expected behavior. You need to clear the registry file that stores the current read position. That file is located in C:\ProgramData\winlogbeat\.winlogbeat.yml. Stop the agent, delete (or modify) the file, then restart the agent.

Brilliant; I had found a reference file in a subfolder "data" under the original installation path, but this path wasn't consistent across both dev hosts.

Thanks for the quick response; This worked perfectly.

When running as a Windows service the file will be written to C:\ProgramData\winlogbeat\.winlogbeat.yml because the service sets the flag when starting Winlogbeat. If you start Winlogbeat differently (without pointing to ProgramData) then it will get written to the CWD.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.