How do I force rebuild log's data in filebeat 5

1. Stop filbeat service.
2. Rename the register file - usually found in /var/lib/filebeat/registry
3. Start filbeat service.

sudo service filbeat stop

mv /var/lib/filebeat/registry /var/lib/filebeat/registry.old

sudo service filbeat start

The Filebeat agent stores all of its state in the registry file. The location of the registry file should be set inside of your configuration file using the filebeat.registry_file configuration option.

I recommend specifying an absolute path in this option so that you know exactly where the file will be located. If you use a relative path then the value is interpreted relative to the ${path.data} directory. On Linux installations, when started as a service or started using the filebeat.sh wrapper, path.data is set to /var/lib/filebeat.

After deleting this registry file, Filebeat will begin reading all files from the beginning (unless you have configured a prospector with tail_files: true.

If you continue to have problems, I recommend looking at the Filebeat log file which will contain a line stating where the registry file is located. For example:

2017/01/18 18:51:31.418587 registrar.go:85: INFO Registry file set to: /var/lib/filebeat/registry

As already mentioned here, stopping the filebeat service, deleting the registry file(s) and restarting the service is correct.

I just wanted to add for Windows users, if you haven't specified a unique location for the filebeat.registry_file, it will likely default to ${path.data}/registry which is somewhat confusingly the C:\ProgramData\filebeat directory as mentioned by the folks at Elastic.

In my case I had to show hidden files before it was displayed.