When is it safe to delete a log file from a machine that runs Fleet Agent?

I have several machines that run an Elastic Agent on them.
One of the integrations I used is Custom Logs.
Logs are written to a file with a rotating date (my-logs-DATE.log).

When is a safe time to delete an old log file? When a new one is created?
Will this make sure that all previous logs were already sent to Elasticsearch?

Still interested in this question. Any resources on this?

Hi @lizozom

Interesting question...

In general, you should separate the concepts in your head of

  • log rotation ("When a new log file is created") from
  • When an existing file is read by Elastic Agent / Filebeat etc.
  • And When you should delete the file (log deletion, which is usually part of the rotation policy)
  • And what is your company's Risk / Retention Policy on Logs, etc

1st and foremost, Filebeat / Elastic Agent is not in control of or related to the source log rotation policy, which is defined by the OS or The Application writing the logs.

So when it is "Safe" to delete the log file is really a policy up to you.... that depends on a couple things

2nd, just because a new log file is created does not mean the Elastic Agent is finished reading the previous file...

So this can really get into details ... BUT to make it simple...

If Elasticsearch is keeping up with your logs in near real time, teams generally set a log rotation and deletion policy to a time they are comfortable with—a couple hours, a couple days, do you ever want to replay the data, etc.

Also, the resilience and retention of your Elasticsearch come into play... do you have HA (multi-node) elasicsearch architecture, are you taking snapshots etc

What is your risk for losing logs...

This all comes down to how critical the logs are, what your Retention and Risk Policies are, etc. For some, they are not very critical, while for others they are highly critical / compliance-based, etc.