Thanks a lot. I didn't know the mode "read" until now. That's exactly what I was looking for.
With this setup it works perfect now:
file {
path => '/var/elk-logs/queue/*lfa_event_20*.log'
mode => "read"
sincedb_path => "/var/elk-logs/sincedb/sincedb"
file_completed_action => "log_and_delete"
file_completed_log_path => "/var/elk-logs/logs/complete.log"
ignore_older => 50
sincedb_clean_after => "60s"
add_field => {
"[@metadata][indexType]" => "lfaEvent"
}
}Like you suggested I copy the new file with a temp file name and rename it after the copy process.
At my log I see still the same inode IDs but they didn't cause any problems.