I'm using logstash-forwarder 0.4, and have issues with it detecting spurious log rotations which is preventing it from importing some files, e.g.
2015/08/16 00:00:02.585975 File rename was detected: /usr/local/appinf/component/container/sso3/catalina-base/logs/status-tomcat.log.2015-08-14 -> /usr/local/appinf/component/container/sso3/catalina-base/logs/sso3.log.2015-08-16 2015/08/18 00:00:10.283930 File rename was detected: /usr/local/appinf/component/container/sso3/catalina-base/logs/monitor.log.2015-08-16 -> /usr/local/appinf/component/container/sso3/catalina-base/logs/sso3.log.2015-08-18
What logic does LSF use to detect file rotations? These files are unrelated. I'm not 100% exactly how these files are written, I think they just use a java log4j appender to create a new file each day.
If I restart the forwarder, I get the following:
2015/08/18 10:20:07.673736 Launching harvester on new file: /usr/local/appinf/component/container/sso3/catalina-base/logs/sso3.log.2015-08-18 2015/08/18 10:20:07.673973 harvest: (tailing) "/usr/local/appinf/component/container/sso3/catalina-base/logs/sso3.log.2015-08-18" (offset snapshot:18497536)
Edit: In a similar situation, after restarting LSF, I have log lines like the following:
2015/08/18 11:22:59.255307 Not resuming rotated file: /.../VotingPortlet.log 2015/08/18 11:22:59.255320 Launching harvester on new file: /...//VotingPortlet.log
Where it obviously thinks the file is rotated, but then also starts reading it again?!