Issue with logstash 8.17.4. Sincedb sometimes does not recognise the correct inode. After logstash restart it works

devops_training · May 6, 2025, 3:56pm

db.log rotates to db_backup.log.

input to logstash


input {
  file {
    path => "C:/Program Files (x86)/webserver/db/logs/db.log"
	exclude => "db_backup.log"
    type => "db"
    start_position => "beginning" 
    sincedb_path => "C:/setup/tools/logstash/sincedb_db.log"
    sincedb_clean_after => "4h"
    codec => multiline {
      pattern => "^\d{14}"  # Match lines starting with a 14-digit timestamp
      negate => true        # Lines NOT matching the pattern are part of the previous event
      what => "previous"    # Append non-matching lines to the previous event
      charset => "ISO-8859-1"
    }
  }
}

My sincedb entry before logstash restart

3336151636-103439-38731776 0 0 3743221 1746535009.097 C:/Program Files (x86)/webserver/db/logs/db.log
3336151636-103510-51970048 0 0 5255427 1746544213.982 C:/Program Files (x86)/webserver/db/logs/db.log
3336151636-103610-29032448 0 0 3033128 1746546108.149 C:/Program Files (x86)/webserver/db/logs/db.log

My sincedb entry after logstash restart

3336151636-103439-38731776 0 0 3743221 1746535009.097 C:/Program Files (x86)/webserver/db/logs/db.log
3336151636-103510-51970048 0 0 5255427 1746544213.982 C:/Program Files (x86)/webserver/db/logs/db.log
3336151636-103610-29032448 0 0 3033128 1746546108.149 C:/Program Files (x86)/webserver/db/logs/db.log
3336151636-103554-71303168 0 0 3896388 1746546378.764 C:/Program Files (x86)/webserver/db/logs/db.log   -- this is the right inode entry

db.log is pushed to elk. Without logstash restart. I want the correct inode to be updated. Please help

Badger · May 6, 2025, 5:38pm

What OS and what filesystem type? The code suggests that it may not work on ReFS, which is used on the server OSes.

devops_training · May 7, 2025, 1:46am

This is the windows machine (cloud) and storage is the drive (EBS volumes)

Badger · May 7, 2025, 1:54am

That doesn't answer either of my questions. Which version of Windows, and what filesystem are you using on the EBS volumes? (In File Explorer, if you right click on the disk and select properties, the filesystem type will be labelled "File system".)

devops_training · May 7, 2025, 5:00am

Windows 2016 and NTFS .

Badger · May 7, 2025, 5:02am

Do you mean Windows Server 2016?

devops_training · May 7, 2025, 5:20am

I meant Microsoft windows server 2016.

devops_training · May 7, 2025, 4:33pm

@Badger Do we have issue with inode for windows server 2016 and NTFS filessystem. If yes is there any alternate method to solve this issue?

Badger · May 7, 2025, 5:41pm

There is nothing in the comments in the source code that suggests the input would not work for an NTFS filesystem.

devops_training · May 8, 2025, 12:12am

thanks for the update. The output of sincedb file before restart and after restart says that logstash is not able to get the right file identifier when the file rotation happens.

Topic		Replies	Views
Inode remaing same - reading old logs. on restart gets new inode on sincedb and get new data Logstash	1	254	November 19, 2020
Sincedb maintenance Logstash	6	2546	July 6, 2017
Logstash 7 (W7) issue - Input file issue with sincedb: reads file only once Logstash	10	3944	May 16, 2019
Logstash rotating log - sincedb issue on Windows Logstash	5	1486	March 16, 2017
SinceDB not updated properly Logstash	1	381	October 3, 2018

Issue with logstash 8.17.4. Sincedb sometimes does not recognise the correct inode. After logstash restart it works

Related topics