Grokparsefailure randomly

fry2k · February 4, 2019, 4:52pm

Thanks a lot. I didn't know the mode "read" until now. That's exactly what I was looking for.

With this setup it works perfect now:

file {
    path => '/var/elk-logs/queue/*lfa_event_20*.log'
    mode => "read"
    sincedb_path => "/var/elk-logs/sincedb/sincedb"
    file_completed_action => "log_and_delete"
    file_completed_log_path => "/var/elk-logs/logs/complete.log"
    ignore_older => 50
    sincedb_clean_after => "60s"
    add_field => {
      "[@metadata][indexType]" => "lfaEvent"
    }
  }

Like you suggested I copy the new file with a temp file name and rename it after the copy process.

At my log I see still the same inode IDs but they didn't cause any problems.

Topic		Replies	Views
Logstash not parsing new files added to docker volume Logstash	5	3456	July 19, 2018
ELK Docker - Logstash doesn't read log file Logstash	1	506	July 6, 2017
I am trying to setup elk on docker, but it is not pulling data from my log file which already has data Kibana elastic-stack-security , docker	2	7	October 15, 2024
Grokparsefailure but passes grok debugger Logstash	3	762	July 6, 2017
Docker SEBP/ELK not logging IP msgs Logstash	1	683	April 7, 2017

Grokparsefailure randomly

Related topics