I am used to Filebeat and customizing it to do what I want, but now am testing Agent and those same methods in Filebeat do not seem to work.
Note: I started with Fleet, but moved to standalone agents at this point. I could still create/edit a config in Fleet and copy it over if needed, which is how I have been testing settings.
Questions:
- The elastic-agent.yml file controls what Filebeat monitors, right? If not, what does?
- Assuming #1 is correct, the word filebeat is not used in an elastic-agent.yml config. Is it input.streams which is what enables Filebeat activity?
- I have a basic elastic-agent.yml watching specific files like /var/log/syslog. I definitely do NOT have it set to monitor all of /var/log/, yet I am getting many events, every 30 seconds, that "file /var/log/kern.log has no content yet, skipping" (and other similar /var/log files). Event_dataset is elastic_agent.filebeat. I did not tell Agent/Filebeat to monitor this file. I would like these logs to not appear. What options do I have?
- I looked for a filebeat.yml file and the only on my system is /var/lib/elastic-agent/data/elastic-agent-de80b0/components/filebeat.yml. I've tried using my old Filebeat methods and changed this file, restarted Agent, but that did not seem to take effect. Should modifying this config have had an effect? (Note: this file, by default DOES monitor /var/log/*.log, which would explain why /var/log/kern.log and others have events related to them, but if that part of the config works, why not other parts, like disabling metrics?
