Hi,
In our environment, we have multiple logs folders. There's a symlink that points to a currently active logs folder and this symlink constantly changes pointing to a different folder. Something like this:
logs_a/
logs_b/
current -> logs_c/
logs_d/
I was trying to be "clever" and instead of using a wildcard to just consider all the folders regardless of the symlink, I instead set up the file path to be looking at the symlink because I know Logstash works well with symlinks even when they change (I tested it)
file {
path => "/some/path/current/some.log"
...
}
Now one challenge I had was I wanted the event to show the real path as well besides the symlink path so I have been using the ruby code below which I just found out doesn't work 100% of the time but returns a wrong real path sometimes and by wrong I mean it resolve the real path to an incorrect logs folder. I suspect maybe when Logstash was still parsing stuff the symlink changed by the time ruby code was executed.
ruby {
code => "event.set('real_path', File.real_path(event.get('path')))"
}
So my question is what do you think is causing the problem here?
And do you think using Ruby code to get the real path is a good way?
Or should I just use the wild card way to listen to all the folders instead?
Many thanks for your help,