Filebeat Lost of first lines when rotating files

Florian_Bahu · November 27, 2024, 3:55pm

Hello,

I noticed some issues when Filebeat reads a new file: the first line is sometimes skipped. So I made a quick script to test this:

#/bin/bash
for i in {00..100}; do
mv toto.log toto.log.${i} && touch toto.log
echo "test line" >> toto.log
sleep 2
done

I expect to have 101 lines in my Logstash output, but I get a random number of lines. Here is my Filebeat configuration:

path.home: /home/user
path.logs: ${path.home}/logs
path.data: ${path.home}/data
path.config: ${path.home}

logging.level: debug
logging.to_files: true
logging.files:
  path: ${path.logs}
  name: filebeat
  keepfiles: 7
  permissions: 0640



filebeat.inputs:

- type: filestream
  id: test-stream
  enabled: true
  paths:
    - /root/toto*.log
  tags:
    - testing
  ignore_older: 48h
  fields_under_root: true
  scan_frequency: "1s"
  close.on_state_change.renamed: true

output.logstash:
  hosts: ["ipAddress:5044"]
  bulk_max_size: 0

My Filebeat version is 8.16.1. I tried adjusting some parameters, but nothing changed. Does anyone have any idea what's happening and how I can solve my problem?

strawgate · November 27, 2024, 7:19pm

this setting causes Filebeat to stop reading files once they have been renamed

When this option is enabled, Filebeat closes the file handler when a file is renamed. This happens, for example, when rotating files. By default, the harvester stays open and keeps reading the file because the file handler does not depend on the file name. If the close.on_state_change.renamed option is enabled and the file is renamed or moved in such a way that it’s no longer matched by the file patterns specified for the , the file will not be picked up again. Filebeat will not finish reading the file.

Try setting that to false

Florian_Bahu · November 28, 2024, 10:09am

It doesn't seem to have any effect on the result. I still get a random number of lines in my Logstash output.

strawgate · November 28, 2024, 2:15pm

During file rotation, you are renaming the log files to a name that is not part of the glob you've given to filebeat: .log.# vs *.log

strawgate · November 28, 2024, 2:19pm

Also worth noting that these two settings will have a negative performance impact and should likely be removed before moving this into production

Topic		Replies	Views
Filebeats, unable to read all the data from log file Beats filebeat	9	632	November 10, 2022
Filebeat loses first lines when file rotated Beats filebeat	1	192	April 11, 2023
Filebeat read log4j2 rotated log file again Beats filebeat	3	1685	February 27, 2018
Filebeat is losing events due to file rotate Beats filebeat	5	2484	July 1, 2016
How does filebeat react to files dumped at once Beats filebeat	3	1099	July 5, 2017

Filebeat Lost of first lines when rotating files

Related topics