When the filebeat makes a query, it should be able to specify the time period (say last 1 day, 1hr etc) to get the logs. I am not able to find the config. parameter in the filebeat.yml (or in o365.yml)
For instance when beat was not running due to some issues locally, when it comes back up, the query can be to get the logs for the period. To catch up with missing period(s)
Ex: Get logs from timestampX to timestampY
Hope my question is clear
Hi @sriramb12,
Usually filebeat reads the file/files provided as the module path parameter, and do not makes queries (but it might depends on the specific module I guess). So if log file was rotated and for example removed - there is no way to get older data.
Regarding o365 module - maybe you can adjust api.max_retention to get older data.
2 Likes
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.