Looking at my cluster, I am seeing some clusters with dates back to (logstash-2007.02.26). How on earth did these get created?
Is some sending devices data/time off?
Found a Windows server, that winlogbeat decided to go back to the first log and started piping in logs from 2007.
Even though the winlogbeat config was set to 72h.
Sooooo,
We started pushing out winlogbeat to all our Windows servers and I am systematically finding more and more servers who are logging SYSTEM event logs prior to the 72h option. Is this a bug?
Anyone have any insight or seen this?
It appears that logs older than 72 hours in the System log and the Security logs are getting sent.
Did you remove the registry file between restarts? Try to stop Winlogbeat, remove the registry file and start it again to see if it correctly ignores the events.
Do you send data through LS? Can you share your config for LS and FB?
Did you modify the config file to add ignore_older for all logs that you are monitoring? Each event log has it's own configuration block.
winlogbeat.event_logs:
- name: X
ignore_older: 168h
- name: Y
ignore_older: 168h
I don't even see that in the config template.
I will add that now.
This topic was automatically closed after 21 days. New replies are no longer allowed.