diff --git a/NOTICE.txt b/NOTICE.txt
index 207dc8035f33..791a75f57ea5 100644
--- a/NOTICE.txt
+++ b/NOTICE.txt
@@ -12700,12 +12700,12 @@ SOFTWARE
 
 
 --------------------------------------------------------------------------------
-Dependency : github.com/elastic/elastic-agent-libs
-Version: v0.7.3
+Dependency : github.com/belimawr/elastic-agent-libs
+Version: v0.2.9-0.20240116105334-25f61a14ad41
 Licence type (autodetected): Apache-2.0
 --------------------------------------------------------------------------------
 
-Contents of probable licence file $GOMODCACHE/github.com/elastic/elastic-agent-libs@v0.7.3/LICENSE:
+Contents of probable licence file $GOMODCACHE/github.com/belimawr/elastic-agent-libs@v0.2.9-0.20240116105334-25f61a14ad41/LICENSE:
 
                                  Apache License
                            Version 2.0, January 2004
diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml
index 883760ab410b..0e0530db6b0c 100644
--- a/auditbeat/auditbeat.reference.yml
+++ b/auditbeat/auditbeat.reference.yml
@@ -1544,6 +1544,42 @@ logging.files:
   # file. Defaults to true.
   # rotateonstartup: true
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/auditbeat
+
+    # The name of the files where the logs are written to.
+    #name: auditbeat-events-data
+
+    # Configure log file size limit. If the limit is reached, log file will be
+    # automatically rotated.
+    #rotateeverybytes: 10485760 # = 10MB
+
+    # Number of rotated log files to keep. The oldest files will be deleted first.
+    #keepfiles: 7
+
+    # The permissions mask to apply when rotating log files. The default value is 0600.
+    # Must be a valid Unix-style file permissions mask expressed in octal notation.
+    #permissions: 0600
+
+    # Enable log file rotation on time intervals in addition to the size-based rotation.
+    # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+    # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+    # reported by the local system clock. All other intervals are calculated from the
+    # Unix epoch. Defaults to disabled.
+    #interval: 0
+
+    # Rotate existing logs on startup rather than appending them to the existing
+    # file. Defaults to true.
+    # rotateonstartup: true
+
 # ============================= X-Pack Monitoring ==============================
 # Auditbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/auditbeat/auditbeat.yml b/auditbeat/auditbeat.yml
index eb87fec7e7e8..e882ac93aaff 100644
--- a/auditbeat/auditbeat.yml
+++ b/auditbeat/auditbeat.yml
@@ -169,6 +169,20 @@ processors:
 # "publisher", "service".
 #logging.selectors: ["*"]
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/auditbeat
+
+    # The name of the files where the logs are written to.
+    #name: auditbeat-events-data
+
 # ============================= X-Pack Monitoring ==============================
 # Auditbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml
index 755db3726e7e..7cf1f54d1616 100644
--- a/filebeat/filebeat.reference.yml
+++ b/filebeat/filebeat.reference.yml
@@ -2640,6 +2640,42 @@ logging.files:
   # file. Defaults to true.
   # rotateonstartup: true
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/filebeat
+
+    # The name of the files where the logs are written to.
+    #name: filebeat-events-data
+
+    # Configure log file size limit. If the limit is reached, log file will be
+    # automatically rotated.
+    #rotateeverybytes: 10485760 # = 10MB
+
+    # Number of rotated log files to keep. The oldest files will be deleted first.
+    #keepfiles: 7
+
+    # The permissions mask to apply when rotating log files. The default value is 0600.
+    # Must be a valid Unix-style file permissions mask expressed in octal notation.
+    #permissions: 0600
+
+    # Enable log file rotation on time intervals in addition to the size-based rotation.
+    # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+    # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+    # reported by the local system clock. All other intervals are calculated from the
+    # Unix epoch. Defaults to disabled.
+    #interval: 0
+
+    # Rotate existing logs on startup rather than appending them to the existing
+    # file. Defaults to true.
+    # rotateonstartup: true
+
 # ============================= X-Pack Monitoring ==============================
 # Filebeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/filebeat/filebeat.yml b/filebeat/filebeat.yml
index aa50779b9221..3add6f54a11a 100644
--- a/filebeat/filebeat.yml
+++ b/filebeat/filebeat.yml
@@ -186,6 +186,20 @@ processors:
 # "publisher", "service".
 #logging.selectors: ["*"]
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/filebeat
+
+    # The name of the files where the logs are written to.
+    #name: filebeat-events-data
+
 # ============================= X-Pack Monitoring ==============================
 # Filebeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/go.mod b/go.mod
index 04f519c56d67..18073970dcde 100644
--- a/go.mod
+++ b/go.mod
@@ -420,4 +420,4 @@ replace (
 // Exclude this version because the version has an invalid checksum.
 exclude github.com/docker/distribution v2.8.0+incompatible
 
-replace github.com/elastic/elastic-agent-libs => github.com/belimawr/elastic-agent-libs v0.2.9-0.20231221105324-aedb70a4f832
+replace github.com/elastic/elastic-agent-libs => github.com/belimawr/elastic-agent-libs v0.2.9-0.20240116105334-25f61a14ad41
diff --git a/go.sum b/go.sum
index 6f5bf770b531..0fabd310e7a4 100644
--- a/go.sum
+++ b/go.sum
@@ -373,8 +373,8 @@ github.com/awslabs/goformation/v4 v4.1.0 h1:JRxIW0IjhYpYDrIZOTJGMu2azXKI+OK5dP56
 github.com/awslabs/goformation/v4 v4.1.0/go.mod h1:MBDN7u1lMNDoehbFuO4uPvgwPeolTMA2TzX1yO6KlxI=
 github.com/awslabs/kinesis-aggregation/go/v2 v2.0.0-20220623125934-28468a6701b5 h1:lxW5Q6K2IisyF5tlr6Ts0W4POGWQZco05MJjFmoeIHs=
 github.com/awslabs/kinesis-aggregation/go/v2 v2.0.0-20220623125934-28468a6701b5/go.mod h1:0Qr1uMHFmHsIYMcG4T7BJ9yrJtWadhOmpABCX69dwuc=
-github.com/belimawr/elastic-agent-libs v0.2.9-0.20231221105324-aedb70a4f832 h1:hCPNCDrtpZg8GekH7RptPcJ9C/Dgr2ebku2lETqFFw0=
-github.com/belimawr/elastic-agent-libs v0.2.9-0.20231221105324-aedb70a4f832/go.mod h1:EbRwBMsWoU4IHGKJlTrxbxC03hkihS9W4h+UgraLdDM=
+github.com/belimawr/elastic-agent-libs v0.2.9-0.20240116105334-25f61a14ad41 h1:4kwfzIBmNATT0es3HsgZP7W4p6OUo1TCOk5qchsUzTs=
+github.com/belimawr/elastic-agent-libs v0.2.9-0.20240116105334-25f61a14ad41/go.mod h1:pGMj5myawdqu+xE+WKvM5FQzKQ/MonikkWOzoFTJxaU=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/benbjohnson/immutable v0.2.1/go.mod h1:uc6OHo6PN2++n98KHLxW8ef4W42ylHiQSENghE1ezxI=
 github.com/benbjohnson/tmpl v1.0.0/go.mod h1:igT620JFIi44B6awvU9IsDhR77IXWtFigTLil/RPdps=
diff --git a/heartbeat/heartbeat.reference.yml b/heartbeat/heartbeat.reference.yml
index 2b2f28382e91..37e20655fef2 100644
--- a/heartbeat/heartbeat.reference.yml
+++ b/heartbeat/heartbeat.reference.yml
@@ -1636,6 +1636,42 @@ logging.files:
   # file. Defaults to true.
   # rotateonstartup: true
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/heartbeat
+
+    # The name of the files where the logs are written to.
+    #name: heartbeat-events-data
+
+    # Configure log file size limit. If the limit is reached, log file will be
+    # automatically rotated.
+    #rotateeverybytes: 10485760 # = 10MB
+
+    # Number of rotated log files to keep. The oldest files will be deleted first.
+    #keepfiles: 7
+
+    # The permissions mask to apply when rotating log files. The default value is 0600.
+    # Must be a valid Unix-style file permissions mask expressed in octal notation.
+    #permissions: 0600
+
+    # Enable log file rotation on time intervals in addition to the size-based rotation.
+    # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+    # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+    # reported by the local system clock. All other intervals are calculated from the
+    # Unix epoch. Defaults to disabled.
+    #interval: 0
+
+    # Rotate existing logs on startup rather than appending them to the existing
+    # file. Defaults to true.
+    # rotateonstartup: true
+
 # ============================= X-Pack Monitoring ==============================
 # Heartbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/heartbeat/heartbeat.yml b/heartbeat/heartbeat.yml
index 8accb212db4b..0b28eec374e0 100644
--- a/heartbeat/heartbeat.yml
+++ b/heartbeat/heartbeat.yml
@@ -152,6 +152,20 @@ processors:
 # "publisher", "service".
 #logging.selectors: ["*"]
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/heartbeat
+
+    # The name of the files where the logs are written to.
+    #name: heartbeat-events-data
+
 # ============================= X-Pack Monitoring ==============================
 # Heartbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/libbeat/_meta/config/logging.reference.yml.tmpl b/libbeat/_meta/config/logging.reference.yml.tmpl
index 660bbb73a02a..d43818aa743c 100644
--- a/libbeat/_meta/config/logging.reference.yml.tmpl
+++ b/libbeat/_meta/config/logging.reference.yml.tmpl
@@ -67,3 +67,39 @@ logging.files:
   # Rotate existing logs on startup rather than appending them to the existing
   # file. Defaults to true.
   # rotateonstartup: true
+
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/{{.BeatName}}
+
+    # The name of the files where the logs are written to.
+    #name: {{.BeatName}}-events-data
+
+    # Configure log file size limit. If the limit is reached, log file will be
+    # automatically rotated.
+    #rotateeverybytes: 10485760 # = 10MB
+
+    # Number of rotated log files to keep. The oldest files will be deleted first.
+    #keepfiles: 7
+
+    # The permissions mask to apply when rotating log files. The default value is 0600.
+    # Must be a valid Unix-style file permissions mask expressed in octal notation.
+    #permissions: 0600
+
+    # Enable log file rotation on time intervals in addition to the size-based rotation.
+    # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+    # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+    # reported by the local system clock. All other intervals are calculated from the
+    # Unix epoch. Defaults to disabled.
+    #interval: 0
+
+    # Rotate existing logs on startup rather than appending them to the existing
+    # file. Defaults to true.
+    # rotateonstartup: true
diff --git a/libbeat/_meta/config/logging.yml.tmpl b/libbeat/_meta/config/logging.yml.tmpl
index 00227ad0cdfd..7fe93c9fc0a1 100644
--- a/libbeat/_meta/config/logging.yml.tmpl
+++ b/libbeat/_meta/config/logging.yml.tmpl
@@ -8,3 +8,17 @@
 # To enable all selectors, use ["*"]. Examples of other selectors are "beat",
 # "publisher", "service".
 #logging.selectors: ["*"]
+
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/{{.BeatName}}
+
+    # The name of the files where the logs are written to.
+    #name: {{.BeatName}}-events-data
diff --git a/libbeat/docs/loggingconfig.asciidoc b/libbeat/docs/loggingconfig.asciidoc
index 4ba73c1b60db..b6f3eef9cbb9 100644
--- a/libbeat/docs/loggingconfig.asciidoc
+++ b/libbeat/docs/loggingconfig.asciidoc
@@ -293,3 +293,73 @@ Below are some samples:
 `2017-12-17T18:54:16.242-0500	INFO	[example]	logp/core_test.go:16	some message`
 
 `2017-12-17T18:54:16.242-0500	INFO	[example]	logp/core_test.go:19	some message	{"x": 1}`
+
+ifndef::serverless[]
+[float]
+=== Configuration options for events logger
+
+Some outputs will log raw events on errors like indexing errors in the
+Elasticsearch output, to prevent logging raw events together with other
+log messages, a different log file, only for log entries containing raw events,
+is used. It will use the same level, selectors and all other configurations
+from the default logger, but it will have it's own file configuration.
+
+[float]
+==== `logging.events.files.path`
+
+The directory that log files are written to. The default is the logs path. See
+the <<directory-layout>> section for details.
+
+[float]
+==== `logging.events.files.name`
+
+The name of the file that logs are written to. The default is '{beatname_lc}'.
+
+[float]
+==== `logging.events.files.rotateeverybytes`
+
+The maximum size of a log file. If the limit is reached, a new log file is
+generated. The default size limit is 10485760 (10 MB).
+
+[float]
+==== `logging.events.files.keepfiles`
+
+The number of most recent rotated log files to keep on disk. Older files are
+deleted during log rotation. The default value is 7. The `keepfiles` options has
+to be in the range of 2 to 1024 files.
+
+[float]
+==== `logging.events.files.permissions`
+
+The permissions mask to apply when rotating log files. The default value is
+0600. The `permissions` option must be a valid Unix-style file permissions mask
+expressed in octal notation. In Go, numbers in octal notation must start with
+'0'.
+
+The most permissive mask allowed is 0640. If a higher permissions mask is
+specified via this setting, it will be subject to an umask of 0027.
+
+This option is not supported on Windows.
+
+Examples:
+
+* 0640: give read and write access to the file owner, and read access to members of the group associated with the file.
+* 0600: give read and write access to the file owner, and no access to all others.
+
+[float]
+==== `logging.events.files.interval`
+
+Enable log file rotation on time intervals in addition to size-based rotation.
+Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+are boundary-aligned with minutes, hours, days, weeks, months, and years as
+reported by the local system clock. All other intervals are calculated from the
+unix epoch. Defaults to disabled.
+
+[float]
+==== `logging.events.files.rotateonstartup`
+
+If the log file already exists on startup, immediately rotate it and start
+writing to a new file instead of appending to the existing one. Defaults to
+true.
+endif::serverless[]
+
diff --git a/libbeat/outputs/elasticsearch/elasticsearch.go b/libbeat/outputs/elasticsearch/elasticsearch.go
index 268540a5676c..3fd89bd7c581 100644
--- a/libbeat/outputs/elasticsearch/elasticsearch.go
+++ b/libbeat/outputs/elasticsearch/elasticsearch.go
@@ -18,6 +18,8 @@
 package elasticsearch
 
 import (
+	"go.uber.org/zap"
+
 	"github.com/elastic/beats/v7/libbeat/beat"
 	"github.com/elastic/beats/v7/libbeat/common"
 	"github.com/elastic/beats/v7/libbeat/esleg/eslegclient"
@@ -25,7 +27,6 @@ import (
 	"github.com/elastic/beats/v7/libbeat/outputs/outil"
 	"github.com/elastic/elastic-agent-libs/config"
 	"github.com/elastic/elastic-agent-libs/logp"
-	"go.uber.org/zap"
 )
 
 func init() {
diff --git a/libbeat/outputs/fileout/file.go b/libbeat/outputs/fileout/file.go
index 4c20c924ee0e..884fa0a054b3 100644
--- a/libbeat/outputs/fileout/file.go
+++ b/libbeat/outputs/fileout/file.go
@@ -23,6 +23,8 @@ import (
 	"path/filepath"
 	"time"
 
+	"go.uber.org/zap"
+
 	"github.com/elastic/beats/v7/libbeat/beat"
 	"github.com/elastic/beats/v7/libbeat/outputs"
 	"github.com/elastic/beats/v7/libbeat/outputs/codec"
@@ -30,7 +32,6 @@ import (
 	c "github.com/elastic/elastic-agent-libs/config"
 	"github.com/elastic/elastic-agent-libs/file"
 	"github.com/elastic/elastic-agent-libs/logp"
-	"go.uber.org/zap"
 )
 
 func init() {
diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml
index d6b8b9e9475d..a5c1ded2826d 100644
--- a/metricbeat/metricbeat.reference.yml
+++ b/metricbeat/metricbeat.reference.yml
@@ -2394,6 +2394,42 @@ logging.files:
   # file. Defaults to true.
   # rotateonstartup: true
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/metricbeat
+
+    # The name of the files where the logs are written to.
+    #name: metricbeat-events-data
+
+    # Configure log file size limit. If the limit is reached, log file will be
+    # automatically rotated.
+    #rotateeverybytes: 10485760 # = 10MB
+
+    # Number of rotated log files to keep. The oldest files will be deleted first.
+    #keepfiles: 7
+
+    # The permissions mask to apply when rotating log files. The default value is 0600.
+    # Must be a valid Unix-style file permissions mask expressed in octal notation.
+    #permissions: 0600
+
+    # Enable log file rotation on time intervals in addition to the size-based rotation.
+    # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+    # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+    # reported by the local system clock. All other intervals are calculated from the
+    # Unix epoch. Defaults to disabled.
+    #interval: 0
+
+    # Rotate existing logs on startup rather than appending them to the existing
+    # file. Defaults to true.
+    # rotateonstartup: true
+
 # ============================= X-Pack Monitoring ==============================
 # Metricbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/metricbeat/metricbeat.yml b/metricbeat/metricbeat.yml
index a148cfb3b517..3925d12b82c8 100644
--- a/metricbeat/metricbeat.yml
+++ b/metricbeat/metricbeat.yml
@@ -142,6 +142,20 @@ processors:
 # "publisher", "service".
 #logging.selectors: ["*"]
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/metricbeat
+
+    # The name of the files where the logs are written to.
+    #name: metricbeat-events-data
+
 # ============================= X-Pack Monitoring ==============================
 # Metricbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml
index 1e013fb081f5..242578aaf492 100644
--- a/packetbeat/packetbeat.reference.yml
+++ b/packetbeat/packetbeat.reference.yml
@@ -2010,6 +2010,42 @@ logging.files:
   # file. Defaults to true.
   # rotateonstartup: true
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/packetbeat
+
+    # The name of the files where the logs are written to.
+    #name: packetbeat-events-data
+
+    # Configure log file size limit. If the limit is reached, log file will be
+    # automatically rotated.
+    #rotateeverybytes: 10485760 # = 10MB
+
+    # Number of rotated log files to keep. The oldest files will be deleted first.
+    #keepfiles: 7
+
+    # The permissions mask to apply when rotating log files. The default value is 0600.
+    # Must be a valid Unix-style file permissions mask expressed in octal notation.
+    #permissions: 0600
+
+    # Enable log file rotation on time intervals in addition to the size-based rotation.
+    # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+    # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+    # reported by the local system clock. All other intervals are calculated from the
+    # Unix epoch. Defaults to disabled.
+    #interval: 0
+
+    # Rotate existing logs on startup rather than appending them to the existing
+    # file. Defaults to true.
+    # rotateonstartup: true
+
 # ============================= X-Pack Monitoring ==============================
 # Packetbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/packetbeat/packetbeat.yml b/packetbeat/packetbeat.yml
index fea1a2fb1153..a5026fdbb353 100644
--- a/packetbeat/packetbeat.yml
+++ b/packetbeat/packetbeat.yml
@@ -270,6 +270,20 @@ processors:
 # "publisher", "service".
 #logging.selectors: ["*"]
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/packetbeat
+
+    # The name of the files where the logs are written to.
+    #name: packetbeat-events-data
+
 # ============================= X-Pack Monitoring ==============================
 # Packetbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/winlogbeat/winlogbeat.reference.yml b/winlogbeat/winlogbeat.reference.yml
index 8b7bad94c232..d00eb7b6f0a1 100644
--- a/winlogbeat/winlogbeat.reference.yml
+++ b/winlogbeat/winlogbeat.reference.yml
@@ -1426,6 +1426,42 @@ logging.files:
   # file. Defaults to true.
   # rotateonstartup: true
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/winlogbeat
+
+    # The name of the files where the logs are written to.
+    #name: winlogbeat-events-data
+
+    # Configure log file size limit. If the limit is reached, log file will be
+    # automatically rotated.
+    #rotateeverybytes: 10485760 # = 10MB
+
+    # Number of rotated log files to keep. The oldest files will be deleted first.
+    #keepfiles: 7
+
+    # The permissions mask to apply when rotating log files. The default value is 0600.
+    # Must be a valid Unix-style file permissions mask expressed in octal notation.
+    #permissions: 0600
+
+    # Enable log file rotation on time intervals in addition to the size-based rotation.
+    # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+    # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+    # reported by the local system clock. All other intervals are calculated from the
+    # Unix epoch. Defaults to disabled.
+    #interval: 0
+
+    # Rotate existing logs on startup rather than appending them to the existing
+    # file. Defaults to true.
+    # rotateonstartup: true
+
 # ============================= X-Pack Monitoring ==============================
 # Winlogbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/winlogbeat/winlogbeat.yml b/winlogbeat/winlogbeat.yml
index f6d5ac9069e3..012bee36190b 100644
--- a/winlogbeat/winlogbeat.yml
+++ b/winlogbeat/winlogbeat.yml
@@ -155,6 +155,20 @@ processors:
 # "publisher", "service".
 #logging.selectors: ["*"]
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/winlogbeat
+
+    # The name of the files where the logs are written to.
+    #name: winlogbeat-events-data
+
 # ============================= X-Pack Monitoring ==============================
 # Winlogbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml
index 45d1c4af8510..3cc7dd140568 100644
--- a/x-pack/auditbeat/auditbeat.reference.yml
+++ b/x-pack/auditbeat/auditbeat.reference.yml
@@ -1600,6 +1600,42 @@ logging.files:
   # file. Defaults to true.
   # rotateonstartup: true
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/auditbeat
+
+    # The name of the files where the logs are written to.
+    #name: auditbeat-events-data
+
+    # Configure log file size limit. If the limit is reached, log file will be
+    # automatically rotated.
+    #rotateeverybytes: 10485760 # = 10MB
+
+    # Number of rotated log files to keep. The oldest files will be deleted first.
+    #keepfiles: 7
+
+    # The permissions mask to apply when rotating log files. The default value is 0600.
+    # Must be a valid Unix-style file permissions mask expressed in octal notation.
+    #permissions: 0600
+
+    # Enable log file rotation on time intervals in addition to the size-based rotation.
+    # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+    # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+    # reported by the local system clock. All other intervals are calculated from the
+    # Unix epoch. Defaults to disabled.
+    #interval: 0
+
+    # Rotate existing logs on startup rather than appending them to the existing
+    # file. Defaults to true.
+    # rotateonstartup: true
+
 # ============================= X-Pack Monitoring ==============================
 # Auditbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/x-pack/auditbeat/auditbeat.yml b/x-pack/auditbeat/auditbeat.yml
index 7bdea6578cc7..0e1dbb5c2c28 100644
--- a/x-pack/auditbeat/auditbeat.yml
+++ b/x-pack/auditbeat/auditbeat.yml
@@ -196,6 +196,20 @@ processors:
 # "publisher", "service".
 #logging.selectors: ["*"]
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/auditbeat
+
+    # The name of the files where the logs are written to.
+    #name: auditbeat-events-data
+
 # ============================= X-Pack Monitoring ==============================
 # Auditbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml
index 14308c2cce15..8eae6f4c44a9 100644
--- a/x-pack/filebeat/filebeat.reference.yml
+++ b/x-pack/filebeat/filebeat.reference.yml
@@ -5016,6 +5016,42 @@ logging.files:
   # file. Defaults to true.
   # rotateonstartup: true
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/filebeat
+
+    # The name of the files where the logs are written to.
+    #name: filebeat-events-data
+
+    # Configure log file size limit. If the limit is reached, log file will be
+    # automatically rotated.
+    #rotateeverybytes: 10485760 # = 10MB
+
+    # Number of rotated log files to keep. The oldest files will be deleted first.
+    #keepfiles: 7
+
+    # The permissions mask to apply when rotating log files. The default value is 0600.
+    # Must be a valid Unix-style file permissions mask expressed in octal notation.
+    #permissions: 0600
+
+    # Enable log file rotation on time intervals in addition to the size-based rotation.
+    # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+    # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+    # reported by the local system clock. All other intervals are calculated from the
+    # Unix epoch. Defaults to disabled.
+    #interval: 0
+
+    # Rotate existing logs on startup rather than appending them to the existing
+    # file. Defaults to true.
+    # rotateonstartup: true
+
 # ============================= X-Pack Monitoring ==============================
 # Filebeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/x-pack/filebeat/filebeat.yml b/x-pack/filebeat/filebeat.yml
index aa50779b9221..3add6f54a11a 100644
--- a/x-pack/filebeat/filebeat.yml
+++ b/x-pack/filebeat/filebeat.yml
@@ -186,6 +186,20 @@ processors:
 # "publisher", "service".
 #logging.selectors: ["*"]
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/filebeat
+
+    # The name of the files where the logs are written to.
+    #name: filebeat-events-data
+
 # ============================= X-Pack Monitoring ==============================
 # Filebeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/x-pack/functionbeat/functionbeat.reference.yml b/x-pack/functionbeat/functionbeat.reference.yml
index 4e939b686a60..c1dd7ba8e879 100644
--- a/x-pack/functionbeat/functionbeat.reference.yml
+++ b/x-pack/functionbeat/functionbeat.reference.yml
@@ -1264,6 +1264,42 @@ logging.files:
   # file. Defaults to true.
   # rotateonstartup: true
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/functionbeat
+
+    # The name of the files where the logs are written to.
+    #name: functionbeat-events-data
+
+    # Configure log file size limit. If the limit is reached, log file will be
+    # automatically rotated.
+    #rotateeverybytes: 10485760 # = 10MB
+
+    # Number of rotated log files to keep. The oldest files will be deleted first.
+    #keepfiles: 7
+
+    # The permissions mask to apply when rotating log files. The default value is 0600.
+    # Must be a valid Unix-style file permissions mask expressed in octal notation.
+    #permissions: 0600
+
+    # Enable log file rotation on time intervals in addition to the size-based rotation.
+    # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+    # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+    # reported by the local system clock. All other intervals are calculated from the
+    # Unix epoch. Defaults to disabled.
+    #interval: 0
+
+    # Rotate existing logs on startup rather than appending them to the existing
+    # file. Defaults to true.
+    # rotateonstartup: true
+
 # ============================= X-Pack Monitoring ==============================
 # Functionbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/x-pack/functionbeat/functionbeat.yml b/x-pack/functionbeat/functionbeat.yml
index 9a2627ca44f1..0544fec54fd4 100644
--- a/x-pack/functionbeat/functionbeat.yml
+++ b/x-pack/functionbeat/functionbeat.yml
@@ -365,6 +365,20 @@ processors:
 # "publisher", "service".
 #logging.selectors: ["*"]
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/functionbeat
+
+    # The name of the files where the logs are written to.
+    #name: functionbeat-events-data
+
 # ============================= X-Pack Monitoring ==============================
 # Functionbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/x-pack/heartbeat/heartbeat.reference.yml b/x-pack/heartbeat/heartbeat.reference.yml
index 2b2f28382e91..37e20655fef2 100644
--- a/x-pack/heartbeat/heartbeat.reference.yml
+++ b/x-pack/heartbeat/heartbeat.reference.yml
@@ -1636,6 +1636,42 @@ logging.files:
   # file. Defaults to true.
   # rotateonstartup: true
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/heartbeat
+
+    # The name of the files where the logs are written to.
+    #name: heartbeat-events-data
+
+    # Configure log file size limit. If the limit is reached, log file will be
+    # automatically rotated.
+    #rotateeverybytes: 10485760 # = 10MB
+
+    # Number of rotated log files to keep. The oldest files will be deleted first.
+    #keepfiles: 7
+
+    # The permissions mask to apply when rotating log files. The default value is 0600.
+    # Must be a valid Unix-style file permissions mask expressed in octal notation.
+    #permissions: 0600
+
+    # Enable log file rotation on time intervals in addition to the size-based rotation.
+    # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+    # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+    # reported by the local system clock. All other intervals are calculated from the
+    # Unix epoch. Defaults to disabled.
+    #interval: 0
+
+    # Rotate existing logs on startup rather than appending them to the existing
+    # file. Defaults to true.
+    # rotateonstartup: true
+
 # ============================= X-Pack Monitoring ==============================
 # Heartbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/x-pack/heartbeat/heartbeat.yml b/x-pack/heartbeat/heartbeat.yml
index 8accb212db4b..0b28eec374e0 100644
--- a/x-pack/heartbeat/heartbeat.yml
+++ b/x-pack/heartbeat/heartbeat.yml
@@ -152,6 +152,20 @@ processors:
 # "publisher", "service".
 #logging.selectors: ["*"]
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/heartbeat
+
+    # The name of the files where the logs are written to.
+    #name: heartbeat-events-data
+
 # ============================= X-Pack Monitoring ==============================
 # Heartbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml
index a22db4f7f8cf..643131dbba00 100644
--- a/x-pack/metricbeat/metricbeat.reference.yml
+++ b/x-pack/metricbeat/metricbeat.reference.yml
@@ -2955,6 +2955,42 @@ logging.files:
   # file. Defaults to true.
   # rotateonstartup: true
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/metricbeat
+
+    # The name of the files where the logs are written to.
+    #name: metricbeat-events-data
+
+    # Configure log file size limit. If the limit is reached, log file will be
+    # automatically rotated.
+    #rotateeverybytes: 10485760 # = 10MB
+
+    # Number of rotated log files to keep. The oldest files will be deleted first.
+    #keepfiles: 7
+
+    # The permissions mask to apply when rotating log files. The default value is 0600.
+    # Must be a valid Unix-style file permissions mask expressed in octal notation.
+    #permissions: 0600
+
+    # Enable log file rotation on time intervals in addition to the size-based rotation.
+    # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+    # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+    # reported by the local system clock. All other intervals are calculated from the
+    # Unix epoch. Defaults to disabled.
+    #interval: 0
+
+    # Rotate existing logs on startup rather than appending them to the existing
+    # file. Defaults to true.
+    # rotateonstartup: true
+
 # ============================= X-Pack Monitoring ==============================
 # Metricbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/x-pack/metricbeat/metricbeat.yml b/x-pack/metricbeat/metricbeat.yml
index a148cfb3b517..3925d12b82c8 100644
--- a/x-pack/metricbeat/metricbeat.yml
+++ b/x-pack/metricbeat/metricbeat.yml
@@ -142,6 +142,20 @@ processors:
 # "publisher", "service".
 #logging.selectors: ["*"]
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/metricbeat
+
+    # The name of the files where the logs are written to.
+    #name: metricbeat-events-data
+
 # ============================= X-Pack Monitoring ==============================
 # Metricbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/x-pack/osquerybeat/osquerybeat.reference.yml b/x-pack/osquerybeat/osquerybeat.reference.yml
index 1de9a267ae5c..0a54ac67afba 100644
--- a/x-pack/osquerybeat/osquerybeat.reference.yml
+++ b/x-pack/osquerybeat/osquerybeat.reference.yml
@@ -983,6 +983,42 @@ logging.files:
   # file. Defaults to true.
   # rotateonstartup: true
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/osquerybeat
+
+    # The name of the files where the logs are written to.
+    #name: osquerybeat-events-data
+
+    # Configure log file size limit. If the limit is reached, log file will be
+    # automatically rotated.
+    #rotateeverybytes: 10485760 # = 10MB
+
+    # Number of rotated log files to keep. The oldest files will be deleted first.
+    #keepfiles: 7
+
+    # The permissions mask to apply when rotating log files. The default value is 0600.
+    # Must be a valid Unix-style file permissions mask expressed in octal notation.
+    #permissions: 0600
+
+    # Enable log file rotation on time intervals in addition to the size-based rotation.
+    # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+    # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+    # reported by the local system clock. All other intervals are calculated from the
+    # Unix epoch. Defaults to disabled.
+    #interval: 0
+
+    # Rotate existing logs on startup rather than appending them to the existing
+    # file. Defaults to true.
+    # rotateonstartup: true
+
 # ============================= X-Pack Monitoring ==============================
 # Osquerybeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/x-pack/osquerybeat/osquerybeat.yml b/x-pack/osquerybeat/osquerybeat.yml
index 5a3dcde51e97..e187ba70c1e6 100644
--- a/x-pack/osquerybeat/osquerybeat.yml
+++ b/x-pack/osquerybeat/osquerybeat.yml
@@ -128,6 +128,20 @@ processors:
 # "publisher", "service".
 #logging.selectors: ["*"]
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/osquerybeat
+
+    # The name of the files where the logs are written to.
+    #name: osquerybeat-events-data
+
 # ============================= X-Pack Monitoring ==============================
 # Osquerybeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/x-pack/packetbeat/packetbeat.reference.yml b/x-pack/packetbeat/packetbeat.reference.yml
index 1e013fb081f5..242578aaf492 100644
--- a/x-pack/packetbeat/packetbeat.reference.yml
+++ b/x-pack/packetbeat/packetbeat.reference.yml
@@ -2010,6 +2010,42 @@ logging.files:
   # file. Defaults to true.
   # rotateonstartup: true
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/packetbeat
+
+    # The name of the files where the logs are written to.
+    #name: packetbeat-events-data
+
+    # Configure log file size limit. If the limit is reached, log file will be
+    # automatically rotated.
+    #rotateeverybytes: 10485760 # = 10MB
+
+    # Number of rotated log files to keep. The oldest files will be deleted first.
+    #keepfiles: 7
+
+    # The permissions mask to apply when rotating log files. The default value is 0600.
+    # Must be a valid Unix-style file permissions mask expressed in octal notation.
+    #permissions: 0600
+
+    # Enable log file rotation on time intervals in addition to the size-based rotation.
+    # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+    # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+    # reported by the local system clock. All other intervals are calculated from the
+    # Unix epoch. Defaults to disabled.
+    #interval: 0
+
+    # Rotate existing logs on startup rather than appending them to the existing
+    # file. Defaults to true.
+    # rotateonstartup: true
+
 # ============================= X-Pack Monitoring ==============================
 # Packetbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/x-pack/packetbeat/packetbeat.yml b/x-pack/packetbeat/packetbeat.yml
index fea1a2fb1153..a5026fdbb353 100644
--- a/x-pack/packetbeat/packetbeat.yml
+++ b/x-pack/packetbeat/packetbeat.yml
@@ -270,6 +270,20 @@ processors:
 # "publisher", "service".
 #logging.selectors: ["*"]
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/packetbeat
+
+    # The name of the files where the logs are written to.
+    #name: packetbeat-events-data
+
 # ============================= X-Pack Monitoring ==============================
 # Packetbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/x-pack/winlogbeat/winlogbeat.reference.yml b/x-pack/winlogbeat/winlogbeat.reference.yml
index 528560748fb4..eb3ce116c243 100644
--- a/x-pack/winlogbeat/winlogbeat.reference.yml
+++ b/x-pack/winlogbeat/winlogbeat.reference.yml
@@ -1428,6 +1428,42 @@ logging.files:
   # file. Defaults to true.
   # rotateonstartup: true
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/winlogbeat
+
+    # The name of the files where the logs are written to.
+    #name: winlogbeat-events-data
+
+    # Configure log file size limit. If the limit is reached, log file will be
+    # automatically rotated.
+    #rotateeverybytes: 10485760 # = 10MB
+
+    # Number of rotated log files to keep. The oldest files will be deleted first.
+    #keepfiles: 7
+
+    # The permissions mask to apply when rotating log files. The default value is 0600.
+    # Must be a valid Unix-style file permissions mask expressed in octal notation.
+    #permissions: 0600
+
+    # Enable log file rotation on time intervals in addition to the size-based rotation.
+    # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+    # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+    # reported by the local system clock. All other intervals are calculated from the
+    # Unix epoch. Defaults to disabled.
+    #interval: 0
+
+    # Rotate existing logs on startup rather than appending them to the existing
+    # file. Defaults to true.
+    # rotateonstartup: true
+
 # ============================= X-Pack Monitoring ==============================
 # Winlogbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
diff --git a/x-pack/winlogbeat/winlogbeat.yml b/x-pack/winlogbeat/winlogbeat.yml
index bf7d2f819ebb..c88939331f7b 100644
--- a/x-pack/winlogbeat/winlogbeat.yml
+++ b/x-pack/winlogbeat/winlogbeat.yml
@@ -156,6 +156,20 @@ processors:
 # "publisher", "service".
 #logging.selectors: ["*"]
 
+# Some outputs will log raw events on errors like indexing errors in the
+# Elasticsearch output, to prevent logging raw events together with other
+# log messages, a different log file, only for log entries containing raw events,
+# is used. It will use the same level, selectors and all other configurations
+# from the default logger, but it will have it's own file configuration.
+#logging.events:
+  #files:
+    # Configure the path where the logs are written. The default is the logs directory
+    # under the home path (the binary location).
+    #path: /var/log/winlogbeat
+
+    # The name of the files where the logs are written to.
+    #name: winlogbeat-events-data
+
 # ============================= X-Pack Monitoring ==============================
 # Winlogbeat can export internal metrics to a central Elasticsearch monitoring
 # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The