I enabled file_completed_action to delete, however the files still exist & are not logged after parsing. I've tried enabling permissions for these files as well to allow write. Here's a view of my config + permissions.
input {
file {
path => "/home/vagrant/Downloads/*/package_0000000000_20200514T171015Z/logcat/0_logcat.txt"
start_position => "beginning"
#sincedb_path => "/devspace/test/logcatdb.txt"
#sincedb_path => "/devspace/work/test2.txt"
sincedb_path => "/dev/null"
file_completed_action => "delete"
file_completed_log_path => "/devspace/work/testacomplete"
}
}
filter {
grok {
match => [ "message", "%{LOGCAT_TIMESTAMP:log_time}.*?%{LOGCAT_TAG_LETTER:tag_letter}.*?%{LOGCAT_TAG:tag}.*?%{NUMBER:process_number}([\)]): .*?%{LOGCAT_MSG:log}" ]
# match => ["path", "/devspace/test/logsdecryp/%{USERNAME:pwrcycle}/%{USERNAME:pkg_name}/logcat/%{USERNAME:filename}.txt" ]
# match => ["pkg_name", "([a-z]*)_%{NUMBER:serial_number}_%{USERNAME:folder_date}T%{USERNAME:folder_time}Z" ]
}
grok {
#match => {"path" => "/devspace/test/logsdecryp/%{USERNAME:power_cycle}/%{USERNAME:pkg_name}/logcat/%{USERNAME:filename}.txt" }
match => {"path" => "/devspace/work/%{USERNAME:power_cycle}/%{USERNAME:pkg_name}/logcat/%{USERNAME:filename}.txt" }
}
grok {
match => {"pkg_name" => "([a-z]*)_%{USERNAME:serial_number}_%{USERNAME:folder_date}"}
#T%{USERNAME:folder_time}Z" }
}
# mutate {
# convert =>{
# "process_number" => "integer"
# }
# }
# # date {
# # match => [ "folder_date" , "yyyyMMdd" ],
# # }
date {
match => [ "folder_date" , "yyyyMMdd'T'HHmmss'Z'" ]
target => "file_timestamp"
# target => "logstamp"
}
date {
match => ["log_time", "MM-dd HH:mm:ss.SSS"]
target => "log_timestamp"
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
#stdout { codec => rubydebug }
}
Here's the permissions
-rw-rw-rw- 1 2300147 May 14 13:10 0_logcat.txt
-rw-rw-rw- 1 2181945 May 12 18:13 1_logcat.txt
-rw-rw-rw- 1 2660975 May 12 18:13 2_logcat.txt
-rw-rw-rw- 1 2807346 May 14 12:47 3_logcat.txt
-rw-rw-rw- 1 8880157 May 14 12:14 4_logcat.txt
-rw-rw-rw- 1 11595811 May 14 11:24 5_logcat.txt
Thanks!
I figured it out, need to add "mode => read" to config.