Answering my own question:
In fact, this is not expected and it's a known bug for windows. You can check it here here and here (quote below).
After several tests on Linux and Windows, I realized that if logstash is (re-) started on Windows, all logs are parsed from the beginning again. It does not matter if I set a start_position or an since_db path, or an combination of both, the setting will be ignored.
UPDATE:
I fixed this by manually patching logstash-1.3.3-flatjar.jar with some changes made by edwinf to ruby-filewatch. In case you want to do the same:
- Open https://github.com/jordansissel/ruby-filewatch/tree/master/lib/filewatch and download buftok.rb, tail.rb, watch.rb and winhelper.rb
- Open logstash-1.3.3-flatjar.jar using any zip file editor and put the downloaded files inside the folder named "filewatch" (replace the original files)
- Download JRubyFileExtension.jar from https://github.com/jordansissel/ruby-filewatch/tree/master/java
- Put this file at the root of logstash-1.3.3-flatjar.jar (while opening it with a zip file editor).
- Done. Logstash must be rerun, of course :)
The pull request which fixes this issue can be found at https://github.com/jordansissel/ruby-filewatch/pull/22