Can filebeat recognize .gz log files?

talka · May 9, 2023, 3:06pm

Hi,
I'm using filebeat version 8.7.0.

/var/log list the following files:
-rwxrwxrwx 1 1000 1000 244631 Mar 21 06:30 cron
-rwxrwxrwx 1 1000 1000 48940 Feb 26 03:37 cron-20230226.gz
-rwxrwxrwx 1 1000 1000 48766 Mar 5 03:31 cron-20230305.gz
-rwxrwxrwx 1 1000 1000 49153 Mar 12 03:22 cron-20230312.gz
-rwxrwxrwx 1 1000 1000 48982 Mar 19 03:39 cron-20230319.gz

filebeat.yml is configured as following:

type: log
paths:
- /var/log/cron*
  encoding: plain
  fields:
  tag: cron
  close_eof: true

The problem is that only cron file is recognized while other cron*.gz file aren't recognized.

Any idea how exactly need to define so all *.gz files will be recognized?

Thanks, Tal.

stephenb · May 11, 2023, 2:49am

Hi @talka Welcome to the communty!

Sorry to have your first post be this...

Currently, beats do not support backfilling archived logs.

You have 2 choices ...
Temporaryily uncompress them or
perhaps take a look at this solution

Yeah, I know... painful but that is where we stand

system · June 8, 2023, 2:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.