I have a logstash setup configured for publishing events from a file (once a new record gets added into a log file) Currently the logstash process has stopped on my instance. What happens if I restart logstash, does it will start publishing from top of the file or from where it lastly published?. The instance which logstash was running haven't been restarted.
Thanks in advance
What happens if I restart logstash, does it will start publishing from top of the file or from where it lastly published?
The depends on your configuration.
Hi magnusbaeck,
Thanks for the quick feedback. This is the configuration
input {
file {
path => "/opt/nginx/logs/updates.log"
type => "updates_log"
}
}
filter {
if [type] == "updates_log" {
mutate { replace => { "type" => "updates_log" } }
grok {
match => { "message" => "Message being sent" }
}
date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
}
geoip {
source => "clientip"
}
}
}
output {
if [type] == "updates_log" {
http {
url => "URL of the receiver"
http_method => "post"
format => "json"
headers => [
'Authorization', 'Basic sampleBearer’
]
}
}
}
Will it start publishing from top of the file once logstash is restarted?
Thanks in advance
Will it start publishing from top of the file once logstash is restarted?
No. The file input documentation describes this in detail.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.