Clarification about Filebeat usage is needed

John16 · February 4, 2017, 1:24pm

Hello,

my application writes log file /var/log/app.log.
At 00:00, this log file is rotated:
mv /var/log/app.log /var/log/app.log.bak
kill -1 <APP_PID> --> re-opens /var/log/app.log

Do I understand it correctly that:

filebeat will read app.log all day long and send lines to ES. After log file is rotated, filebeat will notice that filename has changed, read all.log.bak until the end of file and then reopen newly created /var/log/app.log?
if for some reason ES becomes unavailable, filebeat will pause reading file and wait for ES to become reachable again. And then it will continue as described in 1)?

Thanks.

steffens · February 4, 2017, 2:48pm

Yes, only app.log.bak and the new app.log will be processed concurrently, in case not all events have been processed yet. Filebeat in general tries to process files concurrently. In case filebeat is not restarted, it will keep the old app.log open until it has finished processing it (which is perfectly fine on linux).
Filebeat remembers files by inode. That is, the log-rotation should use mv. This guarantees the file identity did not change.
yep

system · March 4, 2017, 2:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat still process old log file Beats filebeat	5	1756	February 7, 2019
Filebeat: anything to know about rotating logfiles? Beats filebeat	3	476	September 27, 2019
Filebeat doesn't read file after rotation Beats filebeat	1	339	May 14, 2019
How does Filebeat handle log rotation Beats filebeat	2	1227	November 24, 2016
Filebeat for rotated logs: the old harvest always is handled before new harvest? Beats filebeat	1	208	March 30, 2022

Clarification about Filebeat usage is needed

Related topics