There is no good way to detect situations where Winlogbeat is starting up and unable to continue ingesting events from the last bookmarked position (i.e. event log has rolled forward and some events have been lost).
Had this happen with Security events. Eventlog size wasn't sufficient, Winlogbeat was down and tons of security events were logged to the point where the log rolled over.
I think it would be useful if Winlogbeat had a warning in this case, so it's easy to detect and remediate. Currently it outputs a debug message, but enabling (and ingesting) debug level logs feels overkill, a warning would be more appropriate.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.