File input plugin lost first part of log line

Juan_Rella · October 1, 2016, 2:53pm

We're working with the version 2.3.x of logstash and we've defined a input file plugin to read apache logs on this way

file {
	add_field => ["timestamp", ""]
	path => "/var/log/httpd/access_log.*"
	start_position => end
	type => "beaconEvent"
	sincedb_path => "/since/.sincedb*"
	sincedb_write_interval => 15
}

we've detected that sometimes this plugin reads an incomplete access log line. It lose an unknown amount of characters at the beginning of this line.
It seems to be related with the offset it is handle on sincedb_path but we could not find a pattern. we removed all files of sincedb_path it worked ok with a big volume or records.
We've watched there was a same issue on previous versions of this tool (https://logstash.jira.com/browse/LOGSTASH-1503) . does anybody could help me?

LionelCons · June 29, 2017, 6:18am

We have seen the same problem with Kafka logs (log4j) and Logstash 5.4.

This might be the same problem as https://github.com/logstash-plugins/logstash-input-file/issues/151 (Lost data on rotation).

Topic		Replies	Views
Logstash file input plugin: missing first lines after log rotation Logstash	3	805	November 22, 2021
File plugin not reading files as expected Logstash	4	896	July 6, 2017
Logstash lost data when using file input plugin Logstash	1	838	December 24, 2019
[Input file plugin] sincedb default path changed since plugin version 3.1.1, so from logstash 5.0.0 and on Logstash	1	1056	May 3, 2017
"File" fail to read a file (sometimes) Logstash	1	814	July 6, 2017

File input plugin lost first part of log line

Related topics