Docker autodiscover feature: losing tail of logs when container gets stopped

smamontov · June 22, 2018, 4:48pm

I'm running docker container without --rm option to make sure this is not because log file is removed by docker. The problem is that not all events are getting sent to elasticsearch: messages are ignored since the point when docker spawns stop event, because autodiscover manager closes harvester too early:

WARN	[cfgwarn]	docker/input.go:29	EXPERIMENTAL: Docker input is enabled.
INFO	log/input.go:111	Configured paths: [/var/lib/docker/containers/f50305f7/*.log]
INFO	autodiscover/autodiscover.go:144	Autodiscover starting runner: input [type=docker, ID=1190163555171836425]
INFO	input/input.go:87	Starting input of type: docker; ID: 1190163555171836425 
INFO	log/harvester.go:228	Harvester started for file: /var/lib/docker/containers/f50305f7/f50305f7-json.log

... after 10 seconds ...

INFO	autodiscover/autodiscover.go:181	Autodiscover stopping runner: input [type=docker, ID=1190163555171836425]
INFO	input/input.go:121	input ticker stopped
INFO	input/input.go:138	Stopping Input: 1190163555171836425
INFO	log/harvester.go:249	Reader was closed: /var/lib/docker/containers/f50305f7/f50305f7-json.log. Closing.

After inspecting events in my index, I've realized only 530 first messages were indexed out of 568.

Is there any solution?

jsoriano · June 25, 2018, 4:22pm

I think this can be related with this issue https://github.com/elastic/beats/issues/6694

smamontov · June 26, 2018, 12:58pm

Thank you!

system · July 24, 2018, 12:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.