WinlogBeat to Logstash integration

Hi Team -
Winlogbeat is sending events to Logstash at 5044. I have below questions:

  1. In winlogbeat, if I set ignore_older: 10s
    Does this mean that Winlogbeat will check if there are any new events before 10 seconds, or in last 10 seconds? And in this case, can I miss any events in any of the situation? I don't want to miss any events. I want all the events to go to Logstash. If I set it to 1 hour, will it check for new events in last one hour or it will check for new events before one hour and those are not parsed yet? Please make me understand the use of ignore_older.

  2. If I don't mention "ignore_older", what difference will it make to my setup? What is the default check?

  3. What is the default beat time of Winlogbeat or Logstash? After how many seconds or miliseconds it checks for the new events or logs?

Akhil Sharma

4. If I turn off Logstash and WinlogBeat for 1 hour. Can I send these events to Logstash which were generated during the time of outage?

Winlogbeat will read logs from the beginning the first time it runs. That can lead to it ingesting very old logs that are of no interest. ignore_older can be used to tell it to ignore events older than some threshold. 10s is an extremely low threshold that may cause data loss if winlogbeat ever restarts. I would set it to at least a couple of days (e.g. 72h).

If you do not include ignore_older then the first time it runs, winlogbeat will ingest data from the very beginning of the event log.

When it shuts down, winlogbeat persists how far in the event log it has read, and starts again from that point when it starts up again. So you should get events generated when winlogbeat was down once it comes back up.

Thanks for the answers. It helped :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.