I have several machines that run an Elastic Agent on them.
One of the integrations I used is Custom Logs.
Logs are written to a file with a rotating date (my-logs-DATE.log).
When is a safe time to delete an old log file? When a new one is created?
Will this make sure that all previous logs were already sent to Elasticsearch?
In general, you should separate the concepts in your head of
log rotation ("When a new log file is created") from
When an existing file is read by Elastic Agent / Filebeat etc.
And When you should delete the file (log deletion, which is usually part of the rotation policy)
And what is your company's Risk / Retention Policy on Logs, etc
1st and foremost, Filebeat / Elastic Agent is not in control of or related to the source log rotation policy, which is defined by the OS or The Application writing the logs.
So when it is "Safe" to delete the log file is really a policy up to you.... that depends on a couple things
2nd, just because a new log file is created does not mean the Elastic Agent is finished reading the previous file...
So this can really get into details ... BUT to make it simple...
If Elasticsearch is keeping up with your logs in near real time, teams generally set a log rotation and deletion policy to a time they are comfortable with—a couple hours, a couple days, do you ever want to replay the data, etc.
Also, the resilience and retention of your Elasticsearch come into play... do you have HA (multi-node) elasicsearch architecture, are you taking snapshots etc
What is your risk for losing logs...
This all comes down to how critical the logs are, what your Retention and Risk Policies are, etc. For some, they are not very critical, while for others they are highly critical / compliance-based, etc.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.