There is no good way to detect situations where Winlogbeat is starting up and unable to continue ingesting events from the last bookmarked position (i.e. event log has rolled forward and some events have been lost).
Had this happen with Security events. Eventlog size wasn't sufficient, Winlogbeat was down and tons of security events were logged to the point where the log rolled over.
I think it would be useful if Winlogbeat had a warning in this case, so it's easy to detect and remediate. Currently it outputs a debug message, but enabling (and ingesting) debug level logs feels overkill, a warning would be more appropriate.