Enabling fingerprint file_identiy

MajorNickle · November 22, 2023, 5:37pm

Hey all,

I'm stuck with getting the fingerprint file_identity working. I have a few nfs mounts from which I'm reading log files. I tried enabling the fingerprint option in the scanner but it seems like it's not really being applied. I'm suspecting this cause when I run filebeat then unmount a share and remount it's again reading the log from the very beginning. I would expect it to identify it by the hash it generates from the first 0-1024 bytes correct? Is there any way to see if fingerprint is enabled and running within the filebeat logs?

Below is a snippet from my config file.

- type: filestream
  id: my-filestream-id
  enabled: true
  paths:
    - /my/path/*/log/access.log
  prospector.scanner.fingerprint.enabled: true
  prospector.scanner.fingerprint.offset: 0
  prospector.scanner.fingerprint.length: 1024
  file_identity.fingerprint: ~

Thanks for any help in advance!
F

leandrojmp · November 22, 2023, 5:49pm

If I'm not wrong you also need to configure the file_identity to tell that it will use the fingerprint method.

From the documentation you would need add this to your input:

file_identity.fingerprint: ~

MajorNickle · November 22, 2023, 5:59pm

Sorry I did have that line already in my config just forgot to add it above. With that option set it's still reading the log from the beginning everytime I remount the share.

MajorNickle · November 22, 2023, 9:24pm

Ok after reinstalling filebeat on my hosts I now can see registry entries in /var/lib/filebeat/registry/filebeat/log.json. It seems to do the fingerprint and also store the offset. However when I umount and mount the share, it's still reading the log from the beginning. What am I missing here? The fingerprint seems to stay the same. Below are some line from the above log.json file.

Before umount

{
    "k":"filestream::my-filestream-id::fingerprint::97f35983dad82bc9deea3b3c5f496fca99bbb1427144835ccaf2f81e26d71239",
    "v":{
        "ttl":1800000000000,
        "updated":[279413623333240,1700687491],
        "cursor":{"offset":4078955},
        "meta":{
            "source":"/my/path/device01/log/access.log",
            "identifier_name":"fingerprint"
        }
    }
}

After mount

{
    "k":"filestream::my-filestream-id::fingerprint::97f35983dad82bc9deea3b3c5f496fca99bbb1427144835ccaf2f81e26d71239",
    "v":{
        "ttl":1800000000000,
        "updated":[279413860450242,1700687642],
        "cursor":{"offset":4078955},
        "meta":{
            "source":"/my/path/device01/log/access.log",
            "identifier_name":"fingerprint"
        }
    }
}

MajorNickle · November 23, 2023, 3:55pm

After setting clean_remove to false this works as expected.

system · December 21, 2023, 5:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat fingerprint excessive logs Beats filebeat	15	665	March 22, 2024
Usage of filestream Beats filebeat	8	768	February 1, 2023
Filestream Fingerprint Mode Beats filebeat	5	173	March 13, 2024
File beat cant present my application log Beats filebeat	5	529	June 15, 2018
Filebeat Harvester Beats filebeat	3	1291	March 6, 2018

Enabling fingerprint file_identiy

Related topics