Hello everyone,
I’m encountering issues with Filebeat in a Kubernetes environment where I don’t have control over the log rotation configuration. Here’s a summary of the setup and the challenges:
- Log Setup:
- Filebeat Configuration: Filebeat is configured to look for log files in
/var/log/containers/*.log
, which are symlinks to/var/log/pods/.../0.log
. - Kubernetes Log Rotation: Kubernetes rotates logs by renaming
0.log
to0.log.<timestamp>
when the file reaches 10MB. It then gzips the old file and retains up to 3 copies, creating a new0.log
for continued logging.
- Filebeat Configuration Issues:
- Disabled Options:
close_renamed
: Disabled, so renamed files are not closed.close_removed
: Disabled, so removed files are not closed.clean_removed
: Disabled as well, as required by Filebeat's documentation ifclose_removed
is disabled.
- Active Options:
close_inactive
andclean_inactive
: Can be set to handle inactive files, but setting it correctly is tricky due to size-based rotation (see the problem below).ignore_older
: Prevents processing of files inactive for longer than the specified period.
- Problem: Files that are closed and were renamed/removed will not be reopened as Filebeat looks at the other directory that contains the symlinks. If a file becomes inactive for longer than the
ignore_older
andclose_inactive
periods and then starts logging again, Filebeat will not process the new logs. Without using that configuration (ignore_older
andclean_inactive
), frequent rotation increases the risk of inode reuse issues, and on the other hand if a file is mistakenly marked as inactive, it won’t be tracked, leading to potential log loss.
My Questions is, what’s the best approach for configuring Filebeat to handle rotated files given that I can't control the Kubernetes log rotation mechanism, taking into account the problem mentioned above, in order to avoid issues with file closure, inode reuse, and log loss?
Any advice or experiences would be greatly appreciated.
Thanks in advance!