In my Windows Server, I've NxLog configured to send Setup eventviewer logs to logstash through JSON. Setup eventviewer has a total of 1991 logs.

Logstash is configured to send that logs to two different destinations: File and elastic search.

All the 1991 logs is sent to the file, perfectly. But they are duplicated when inserted into elasticsearch. The duplicated events has diferent _id

I've search for a single event, registered as a RecordNumber of 1991 (my last event). RecordNumber is an eventlog unique identifier incremented by Windows every time an event is generated by the system in a particular log scope (in my case Setup).


Is you see, the _id is different for each one.

I already cleaned up entire logstash with the bellow comand, purged elasticsearch index directory (/elasticsearch_data/*) and restarted logstash, but no sucess...

Any idea what might be happening?



