Hi All,
I have a problem with FileBeat and Windows Server 2012 R2
I use FileBeat to read remote IIS logs from 4 webservers; in the windows event viewer's I have this error:
{Delayed Write Failed} Windows was unable to save all the data for the file \webserver1\d$\inetpub\logs\LogFiles\W3SVC32\u_ex170911.log; the data has been lost. This error was returned by the server on which the file exists. Please try to save this file elsewhere.
I have those errrors from all webservers. My Elastic stack version (Elastic, Kibana, Logstash, FileBeat) is 5.5.2 but I have errors also with past versions.
Which could be the problem? Does Filebeat support UNC paths?
I could run 4 separate instance but I'd prefer to mantain one single instance. Could it be an issue of Elastic stack or it's more probably an issue of my Server?
I have this error from one month, before everything worked all correctly
I haven't seen that error before and I'm not sure what is causing it or if it is Filebeat related. Grabbing all of the data associated with the event log record from the event log could provide additional clues as to the source of the problem. As I understand it those events are be logged on the IIS hosts where Filebeat is not running? Maybe there's an issue with the network file server having the file open while IIS is writing/rotating the logs.
But regardless, having FIlebeat read logs from a network share is not recommended because it's unreliable. And you said, "I would not want to miss any data from IIS logs". So please consider running an instance per host.
Hi,
those events occurs on a separate machine where Filebeat running (no IIS is installed on it). Filebeat grab event from other 4 machines with IIS (webservers).
But regardless, I will try to rethink my log system and move filebeat on webservers
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.