What happens when I stop the Winlogbeat service?

Hi, just a quick question regarding what happens when the Winlogbeat service is stopped: Is there a possibility of losing unsent events? Or does the service wait until all unsent messages are sent before shutting down? Would a negative bulk_max_size help ensure that no events can be lost?

Context: I am running Winlogbeat in a VM for a period of time with no intent of reloading after the VM is shut down. My primary concern is possibly losing events in the process of shutting down the VM. I am sending events to a Logstash instance.

Any help would be appreciated.

Winlogbeat stores its read position on disk and this file is updated only after an acknowledgement is received from the output destination (i.e. Logstash, Elasticsearch). If there is a failure (power loss, machine crash) Winlogbeat will simply resume sending from last ACK'ed record. A few events may be duplicated but none are ever lost (at-least-once semantics).

On normal shutdown it will stop reading, flush the state the disk, and exit. It does not read to the end of the event log before exiting.