Quick question.
The ignore: 72h function in the Winlogbeat sends logs from 3 days ago.
If I were to start winlogbeat and send a days worth of logs + the 3 days before and then restart winlogbeat. Would it send the 3 previous days worth of logs from that point again? (this would cause duplications).
Winlogbeat stores a "bookmark" (using Windows API terminology) to a file at C:\ProgramData\winlogbeat\.winlogbeat.yml and it uses this to resume from the last event that it successfully sent. This way it avoids sending duplicates.
With ignore_older: 72h winlogbeat adds a filter to its query to the Windows API that says to only return events newer than 72h. So if you stopped Winlogbeat for 4 days (92h). It would resume from the last sent record that was 4 days old, but the 72h filter would make it skip over a full days worth of data.