I Have an ELK stack stablished using the following workflow
A DB2 server generating logs in .txt format, a FTP for ingest those logs into a S3 bucket in my AWS environment
Than a s3fs-fuse mount system, using this S3 bucket as a shared file system in my EC2 vm
(Linux Amazon 2)
In this EC2 it also has logstash installed on it
And in Logstash i have a File Input Plugin, using multiline codec, start_position => "beginning" and tail mode to read the files in the mounting system
So, the problem is, after some experiments by myself, i've detected that Logstash is re reading all files every time i restart the service
Consulting my sincedb file i get some examples that not give me a reason for that behavior
Like, there are 3 lines that exists in my sincedb file, for the same file
17401603 0 38 0 1666092729.908425 /var/logsaudit/file1.txt
17463979 0 38 0 1666094675.885058
/var/logsaudit/file1.txt
17401603 0 38 0 1666092729.908425
/var/logsaudit/file1.txt
The point is, if you look into these lines, you will notice that only timestamp and inode number has changed
But my files didn't have undergone a change since it's moved from DB2 server to S3 bucket
So what is the most probably cause for that inode change?
(This behavior happens with all files inside the S3 after each logstash service restart)