I have downloaded filebeat 8.8.0 today and it seems that the tail_files option is not working as expected. When i run filebeat, the filebeat seems to be scanning entire file and scanning everything, instead of shipping only new lines.
here is my configuration in filebeat.yml -
# ------------------------------ Logstash Output -------------------------------
output.logstash:
# The Logstash hosts
hosts: ["dbsx01:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
and second change
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: filestream
# Unique ID among all inputs, an ID is required.
id: cadence-01
# Change to true to enable this input configuration.
enabled: true
tail_files: true
include_lines: ['DENIED']
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /home/puneets/sample/1.txt
fields:
cadence: true
The sample file 1.txt-
1 DENIED to ip 100.98.21.1
2 DENIED to ip 100.98.21.2
3 DENIED to ip 100.98.21.3
4 DENIED to ip 100.98.21.4
5 DENIED to ip 100.98.21.5
6 DENIED to ip 100.98.21.6
7 DENIED to ip 100.98.21.7
8 DENIED to ip 100.98.21.8
9 DENIED to ip 100.98.21.9
...........
90 DENIED to ip 100.98.21.90
91 DENIED to ip 100.98.21.91
92 DENIED to ip 100.98.21.92
93 DENIED to ip 100.98.21.93
94 DENIED to ip 100.98.21.94
95 DENIED to ip 100.98.21.95
96 DENIED to ip 100.98.21.96
97 DENIED to ip 100.98.21.97
98 DENIED to ip 100.98.21.98
99 DENIED to ip 100.98.21.99
100 DENIED to ip 100.98.21.100
here 's how i run filebeat -
./filebeat -v -e -d publisher
and here 's how i am running logstash (8.8.0)-
./logstash -e 'input { beats { port => 5044 } } output { stdout {} }'
when i run the filebeat , i noticed that filebeat sent the content of 1.txt
from line number 21 (21 DENIED to ip 100.98.21.21
) to line number 89 (89 DENIED to ip 100.98.21.89
)
example at logstash console -
I was expecting that nothing will appear in the logstash console output .
and only if i do something like
echo "100 DENIED to ip 100.98.21.100" >> 1.txt,
only new content will appear at the logstash's stdout.
Q: Can someone please help me to understand what additional configurations i need to do in the filebeat.yml to get only the latest content to be shipped to logstash?
Any help / hints would be very helpful.