What happens when the ouput of Auditbeat is down

I am using the following pipeline to forward data

Auditbeat ---> logstash ---> ES

Suppose if the logstash machine goes down, I want to know how the Auditbeat handles the situation.

I would like to know the specifics like
1. is there a retry mechanism?
2. how long will it retry?
3. what happens to the audit logs, will it be lost?
4. the reason that I ask question 3 is that, we enable auditbeat by disabling auditd service (which was generating the auditlogs under /var/log/audit/audit.log). SO
if logstash goes down there is no data forwarding happening and hence there is a chance of data loss. Please clarify.
5. if auditbeat is storing the data while logstash is down, where is it doing so? and what is the memory(disk space) allocated to this saving process?

Thanks in advance

Auditbeat will buffer some events in memory until that reaches its cap then it will drop events. But you can configure spooling to disk where it will write events to disk until they are acknowledged by the output. You can read more at https://www.elastic.co/guide/en/beats/auditbeat/7.2/configuring-internal-queue.html#configuration-internal-queue-spool.

Thanks a lot @andrewkroh

That answer's my question

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.