Hey there,
currently we have a problem with our filebeat version 6.3.2 on windows server 2016.
We have an application that logs massivly in one logfile. After the logfile size reached 20MB it gets rotated.
The problem:
Sometimes the rotation does not work because it seems like filebeat has still an active filehandle on it while on the same time saying that the logfile is inactive and the harvester is closed. Thus leading to very large logfiles and logs not beeing harvested. The only workaround so far is restarting the filebeat service.
The filebeat log contains serveral entries saying close_inactive (5m) is reached and the harvester is closed while the application log is still active and write logs so the inactivity should never be reached.
My guess is that the close is not really working, so the filehandle is still open preventing the application of rotating the logfile.
So this problem is leading me to two questions:
- Why does filebeat think that the logfile is inactive
- Why is close_inactive (probably) not closing the filehandle
Does anyone has similar problems or any ideas how to fix that?
Thanks!
Edit:
Config is kept simple:
> - type: log
> enabled: true
> paths:
>
> fields:
> log-type: xxx
> application_name: xxx
> component: xxx
> environment: Production
> type: log
> fields_under_root: true
>
> ### Multiline options
>
> multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{3}'
> multiline.negate: true
> multiline.match: after