Hello,
I have a file which is not mentioned in the filebeat.yml but i can still see that opened by filebeat in lsof -c filebeat output.
anyone any idea about what is happening here??
Thanks,
Nitin
Could you please give more details? I would like to see the path for the file and filebeat settings
filebeat.prospectors:
- input_type: log
paths:
- /var/log/secure
- /var/log/messages
document_type: sys-syslog
- input_type: log
paths:
- /var/log/cron
document_type: sys-cron
- input_type: log
paths:
- /var/log/yum.log
document_type: sys-yum
output.logstash:
enabled: true
hosts: ["10.204.140.17:5044","10.204.141.17:5044","10.204.140.18:5044","10.204.141.18:5044"]
worker: 1
loadbalance: true
logging.to_files: true
logging.files:I am pushing filebeat prospectors via ansible but they are not reflected in filebeat.yml . Even though in lsof output i can see the file is opened by filebeat
What's the open file?
sorry i didn't get that.. I am using this command "lsof -c filebeat " to see if file is read by filebeat.
Got it, perhaps you can share the output of lsof?
nohup.out is the file
I suspect that what happens here is that ansible or something else runs the init script command via nohup (the nohup.out is specific for that command). The file descriptor gets passed through a couple of forks and execs and eventually is inherited by filebeat itself.
What ansible module do you use for starting filebeat? Generally nohup shouldn't be needed.
In any case, it's not that Filebeat is reading that file, just that it has a reference to it.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.