Hi all,
Issue: winlogbeat loses windows events from Microsoft-IIS-Logging/Logs
Scenario: I collect the logs of the IIS in Windows Events. Then I send them to the elasticsearch with winlogbetat. But for some reason, winlogbeat loses most of the events.
For example, IIS generates ~5000 events per 1 min, and ~1500 send to elasticsearch from them.
I checked the winlogbeat log file and searched for "error" and received no results.
Maybe winlogbeat can't handle a large stream of events?
winlogbeat conf:
winlogbeat.event_logs:
- name: Application
level: Critical, Error, Warning
provider:
- Team Build Service
- Team Foundation Error Reporting
- Team Web Access
- TeamFoundationSshService
- TFS Build
- TFS Deployment Rig
- TFS Lab Management
- TFS Proxy Server
- TFS Scheduler
- TFS Services
- TFS Sync Service
- TFS Test Management
- TFS Test Rig
- TFS Version Control
- TFS Warehouse
- TFS WorkItem Tracking
- name: Microsoft-IIS-Logging/Logs
ignore_older: 72h
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 5
setup.dashboards.enabled: false
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["logstash_host:5044"]
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~