Logstash will read the new log lines and the older ones.
You have 2 cases: Case 1:
You created the file while Logstas was down but it is older than 24 hours
Logstash comes back up. It ignores that log file and does not read from it
The log file is modified by adding new lines
Logstash will starts reading the file from the beginning, new lines and older ones will be read
Case 2:
You created the file while Logstas was up so it is older than 48 hours. Meaning that Logstash already read that file.
The file appended to be modified when Logstash was down but the modification appended at least 24 hours before restarting Logstash . Meaning that the last position known for this file in the sincedb file is not the last line of the file.
Logstash comes back up. It ignores that log file and does not read from it
The log file is modified by adding new lines
Logstash will starts reading the file from the last position known (old lines not read yet and new ones)
I don't know if I'm understandable...
I hope this help though.
The only lines that won't be read again are those already read before the crash
If not read, when modifiying the file, Logstash will just resume from the last know position in the sincedb file for the file that was modified
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
