FileBeat not following logfile

cawoodm · February 27, 2019, 8:23pm

FileBeat is not noticing new entries in our log files. To take one example we have a logfile modified recently (20:59 CET) but the registry is showing 14:40 UTC (15:40 CET):

{"source":"D:\hybris\log\tomcat\access.20190227.log","offset":68114397,"timestamp":"2019-02-27T14:40:32.1251557+01:00"

We have since restarted FileBeat several times. What can be the reason?

We are seeing logstash complain that ES is not accepting data and in the ES Log we are seeing update_mapping [_doc] events. The ES/Logstash server is not running at high CPU usage.

Logstash Log:

[2019-02-27T21:21:48,734][ERROR][logstash.outputs.elasticsearch] Encountered a retryable error. Will Retry with exponential backoff  {:code=>400, :url=>"http://xxxxxx:9200/_bulk"}

kvch · February 28, 2019, 7:48am

Could you please share the debug logs of your Filebeat instance? Also, please paste its configuration file here formatted using </>.
My hunch is that either Logstash or Elasticsearch is not able to process the requests quickly enough, so Filebeat stops reading new events until it can forward events in its queue. But ofc I need more info to say something useful.

cawoodm · March 1, 2019, 3:40pm

Yes, that was indeed the case. Elastic Search was waaay behind it's workload.

system · March 29, 2019, 3:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat is not reading updated logfile Beats filebeat	6	1978	July 11, 2016
Filebeat can't keep up with the logs Beats filebeat	3	1380	May 12, 2021
Logstash is not reading some files from filebeat Logstash	6	290	May 19, 2022
Filebeat not seeing fileupdates Beats	3	697	July 5, 2017
Facing delay in logs Beats filebeat	2	1124	August 2, 2019

FileBeat not following logfile

Related topics