read here in detail:
second * is the relevant one for your question, however the entire context is important too.
start_from = <string>
* How the input should chronologically read the Event Log channels.
* If you set this setting to "oldest", the input reads Windows event logs
from oldest to newest.
* If you set this setting to "newest" the input reads Windows event logs
in reverse, from newest to oldest. Once the input consumes the backlog of
events, it stops.
* If you set this setting to "newest", and at the same time set the
"current_only" setting to 0, the combination can result in the input
indexing duplicate events.
* Do not set this setting to "newest" and at the same time set the
"current_only" setting to 1. This results in the input not collecting
any events because you instructed it to read existing events from oldest
to newest and read only incoming events concurrently (A logically
* Default: "oldest".