Winlogbeat default age to ingest


(Vam Pikmin) #1

Hi all,
What is the default time frame winlogbeat will ingest if ignore_older is not specified?

I've deleted some indices for this month and would like to try and retrieve them back but I'm only getting today's

Thanks


(Andrew Kroh) #2

The state is stored locally in a file at c:/ProgramData/winlogbeat/.winlogbeat.yml. So you need to stop winlogbeat, delete the file, then restart in order to make it resend all data from the beginning of time.

https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html#_literal_registry_file_literal


(Vam Pikmin) #3

Thank for your reply. How embarrassing I've missed that.
I've stopped the winlogbeat service and removed the .winlogbeat.yml from the two servers and restarted and still waiting to see data older than today


(Andrew Kroh) #4

Did you remove the ignore_older options from the config file?

You should also check how much data is available in the log. It’s possible that there’s not more data than a day’s worth. It’s possible to adjust the log size in Windows to get longer retention periods.


(Vam Pikmin) #5

Thanks Andrew,
It looks like one of the other techies changed the log size to 128 MB, on our site it's 2 GB
Appreciate the help


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.