What happens when I stop the Winlogbeat service?

Kevin-Valle · March 24, 2016, 7:12pm

Hi, just a quick question regarding what happens when the Winlogbeat service is stopped: Is there a possibility of losing unsent events? Or does the service wait until all unsent messages are sent before shutting down? Would a negative bulk_max_size help ensure that no events can be lost?

Context: I am running Winlogbeat in a VM for a period of time with no intent of reloading after the VM is shut down. My primary concern is possibly losing events in the process of shutting down the VM. I am sending events to a Logstash instance.

Any help would be appreciated.

andrewkroh · March 24, 2016, 10:57pm

Winlogbeat stores its read position on disk and this file is updated only after an acknowledgement is received from the output destination (i.e. Logstash, Elasticsearch). If there is a failure (power loss, machine crash) Winlogbeat will simply resume sending from last ACK'ed record. A few events may be duplicated but none are ever lost (at-least-once semantics).

On normal shutdown it will stop reading, flush the state the disk, and exit. It does not read to the end of the event log before exiting.

Topic		Replies	Views
Winlogbeat and Windows Event Log Service dependency Beats winlogbeat	1	507	December 5, 2019
What happens when winlogbeat cant ship? Beats winlogbeat	1	304	March 29, 2021
How Logstash keeps track of winlogbeat events? Beats winlogbeat	4	725	October 12, 2017
Winlogbeat stops sending logs Beats winlogbeat	2	323	July 21, 2023
How does Logstash keep track of Winlogbeat events? Logstash	4	515	October 12, 2017

What happens when I stop the Winlogbeat service?

Related topics