Clarification about Filebeat usage is needed

Elastic Stack Beats
1

Hello,

my application writes log file /var/log/app.log.
At 00:00, this log file is rotated:
mv /var/log/app.log /var/log/app.log.bak
kill -1 <APP_PID> --> re-opens /var/log/app.log

Do I understand it correctly that:

  1. filebeat will read app.log all day long and send lines to ES. After log file is rotated, filebeat will notice that filename has changed, read all.log.bak until the end of file and then reopen newly created /var/log/app.log?
  2. if for some reason ES becomes unavailable, filebeat will pause reading file and wait for ES to become reachable again. And then it will continue as described in 1)?

Thanks.

2
  1. Yes, only app.log.bak and the new app.log will be processed concurrently, in case not all events have been processed yet. Filebeat in general tries to process files concurrently. In case filebeat is not restarted, it will keep the old app.log open until it has finished processing it (which is perfectly fine on linux).
    Filebeat remembers files by inode. That is, the log-rotation should use mv. This guarantees the file identity did not change.
  2. yep
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.