I have a question about the behavior of filebeat with logrotate and gzip.
I had a problem with my logstash server that takes all filebeats events. This logstash was stopped so all filebeats could send logs to it.
These files have been gzipped from logrotate, then I restarted the server and I saw gzipped logs in Elasticsearch. I was surprised.
Can you explain how can filebeat manage these cases?
It's for this?
Each prospector keeps a state for each file it finds. Because files can be renamed or moved, the filename and path are not enough to identify a file. For each file, Filebeat stores unique identifiers to detect whether a file was harvested previously.
Thank you so much