I am faced with this challenge. The logfiles I want to watch with filebeats and then send to graylog are accessible via a SMB mount only. I already mounted with
cache=none,actimeo=0
What I am seeing is that when the logfile gets a new entry at the end of the file, filebeats does notice however it rereads lots of the file and is sending out events for the past events (to the best of my knowledge the entire file). I suspect this is a problem with the logfiles being on an SMB share (from Filebeats point of view).
Any ideas on how to tackle this? I have no control over the SMB server unfortunately. There currently is no log rotation in place (or not happening during the time of these tests). Whenever a new line is posted the entire file is reread and put in events.
That error is printed when Filebeat checks the size of the file and the size that we got back from the Filesystem is smaller than the offset Filebeat recorded the last time it read from the file.
In other words (as an example) Filebeat thinks it's 500KB into the file but the filesystem is telling Filebeat that the file is only 400KB long.
I'm not entirely convinced fingerprinting will fix it but with network volumes there's no guarantee that the file ID remains stable.
Fingerprinting generates the files ID using the first 1024 bytes of the file. Fingerprinting is almost always the first recommendation when network volumes are in play.
The filestream input also logs the offset and the received file size from the filesystem during truncation which might be useful additional information here
Ignore my "how would it help". Just read the docs on this and I had mistaken it for another fingerprinting (for fields).
Preliminary first test: This seems to have done the trick. It needs 1024 byte of new data/change but that is acceptable. I will monitor this. You are a lifesaver and I hate myself once more for investigating hours instead of asking the knowledgeable people earlier!
just noticed I have duplicates again (or rather still?). I am reading every 10 seconds and every now and then I am still getting a duplicate. The message Is in the source file just once. At least not the entire file seems to be reinfected but the last lines of the log sometimes are.
Are you writing directly to elasticsearch or to something else first? Can you share a log from Filebeat, the line from the file and the contents of the duplicate events from Elasticsearch?
Looking for a suitable example to send. Currently it is not happening. The only difference between yesterday and today is that the logfile was rotated and now is smaller. Will try to find something later to day when it becomes reproducible again.
It looks like you're first writing to logstash. There are various situations with Logstash which might result in duplicate events to Elasticsearch.
Both Filebeat and Logstash have "at least once" delivery guarantees which means logs may be delivered multiple times. If you are not setting the _id of the message or otherwise fingerprinting the log, this could be expected behavior if for example the Logstash pipelines crashes and restarts or the Filebeat crashes between when it reads the log line and when it sends it to Logstash.
Setting the id does not work does it? At least I was not able to set the _id in graylog since this is a protected field. I thought that the fingerprint statement would do that exact fingerprinting? Do you have any concrete suggestion on how and esp. where to do additional fingerprinting in order to circumvent this? Currently it is not happening anymore (for no apparent reason). The components were not crashing....
This particular forum is for support with elastic products -- for questions about deduplicating logs sent to graylog I would recommend reaching out on the graylog community https://community.graylog.org/
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.