Right no i try to evaluate elk for Windows eventlogs using winlogbeat. no matter what i put in the "ignore_older"-Var, winlogbeat seems always to start from the oldest available eventlog-entry. So it takes very long to come up in elasticsearch.
is this the expected behaviour?
I would expect the shipping to start from the oldest entry specified by the "ignore_older"-var.
Thanks
Robert
The first time it is run it starts from the oldest record. When it restarts it resumes from its previous read position. This information is persisted to the registry_file which is a YAML file. The location of this file is specified in config file. You could open the file to inspect the record ID (the read position) for each event log.
The ignore_older setting is implemented as a filter on the output. It has to read the event before it can decide to drop the record.
In version 5 of Winlogbeat the implementation of ignore_older has changed on Windows Vista and newer. Winlogbeat now uses a time-based query when requesting events from Windows so that only events newer than the ignore_older period are returned to Winlogbeat. This will make Winlogbeat output events more quickly the first time you run it when using ignore_older.
This topic was automatically closed after 3 days. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.