How logstash forwarder works?

sampasei · October 27, 2015, 10:57am

Hi all,
i have a question about logstash-forwarder.
I'm using a log program able to write txt files that are zipped and created again every hour: consider this case

8:59 my program is writing a file log.txt
9.00 log.txt is zipped and archived, a new log.txt is created

Logstash-forwarder hasn't a buffer: its buffer is the log file. Consider this case:

8:50 logstash on the server side is down, logstash-forwarder tries to reconnect without any result
9:00 logstash on the server side is still down, a new log file is created
9:10 logstash is up, logstash-forwarder sends records to the server

I thought that the first record sent to the server was the first record of the file created at 9:00, but i see that previous records are sent to the logstash server....why?
Thanks

magnusbaeck · October 27, 2015, 6:58pm

I haven't studied the LSF source code in detail, but I'd assume this is because LSF kept the original file open all the time. Recall that in Unix-like systems it's normally fine to delete a file that a process has open without affecting the operation of that process. Once that process closes the file it'll be deleted from disk.

Topic		Replies	Views
What is meant by Logstash Forwarder tail files from the beginning? Logstash	2	996	July 6, 2017
Configure Logstash-Forwarder to process old files Logstash	4	3083	July 6, 2017
How to unzip compressed logs and ship through forwarder? Logstash	3	2737	July 6, 2017
Logstash with filebeat and batching Logstash	1	296	September 24, 2020
Logstash File Handler w/ Partially Read Files Beats filebeat	6	1912	July 5, 2017

How logstash forwarder works?

Related topics