I installed winlogbeat6.4 on windows server 2008R2 and sent the log to logstash. When I set ignore_older to 5S, I found that some logs were lost. What is the reason?
Probably timing
You're asking the windows event system to process and store an event, the windows OS to schedule winlogbeat, and winlogbeat to query events since it's last poll to find this new event before 5s elapse.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.