I have several machines that run an Elastic Agent on them.
One of the integrations I used is Custom Logs.
Logs are written to a file with a rotating date (my-logs-DATE.log).
When is a safe time to delete an old log file? When a new one is created?
Will this make sure that all previous logs were already sent to Elasticsearch?
Still interested in this question. Any resources on this?
Thanks!
Hi @lizozom
Interesting question...
In general, you should separate the concepts in your head of
1st and foremost, Filebeat / Elastic Agent is not in control of or related to the source log rotation policy, which is defined by the OS or The Application writing the logs.
So when it is "Safe" to delete the log file is really a policy up to you.... that depends on a couple things
2nd, just because a new log file is created does not mean the Elastic Agent is finished reading the previous file...
So this can really get into details ... BUT to make it simple...
If Elasticsearch is keeping up with your logs in near real time, teams generally set a log rotation and deletion policy to a time they are comfortable with—a couple hours, a couple days, do you ever want to replay the data, etc.
Also, the resilience and retention of your Elasticsearch come into play... do you have HA (multi-node) elasicsearch architecture, are you taking snapshots etc
What is your risk for losing logs...
This all comes down to how critical the logs are, what your Retention and Risk Policies are, etc. For some, they are not very critical, while for others they are highly critical / compliance-based, etc.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.