Thanks for insights I gained from this topic - Grokparsefailure randomly - #5 by fry2k
I switched from default tail mode to read mode. However, logs are not streaming to kibana after the switch (restarted the server which refreshed LogStash agent cache , so new settings were picked up). Can anyone check the file plugin settings and clarify why logstash agent is not sending logs to kibana?
The moment I rollback (i.e. switch to tail mode), its ok.
file {
path => "${LOGS_PATH}/event.*.log.*"
exclude => "*.gz"
mode => "read"
start_position => "beginning"
sincedb_path => "${LOGS_PATH}/<audit_logs>.db"
file_completed_action => "log_and_delete"
file_completed_log_path => "${LOGS_PATH}/complete.log"
}