Log rotations


(Mark Van Rossum) #1

I'm using logstash-forwarder 0.4, and have issues with it detecting spurious log rotations which is preventing it from importing some files, e.g.

2015/08/16 00:00:02.585975 File rename was detected: /usr/local/appinf/component/container/sso3/catalina-base/logs/status-tomcat.log.2015-08-14 -> /usr/local/appinf/component/container/sso3/catalina-base/logs/sso3.log.2015-08-16
2015/08/18 00:00:10.283930 File rename was detected: /usr/local/appinf/component/container/sso3/catalina-base/logs/monitor.log.2015-08-16 -> /usr/local/appinf/component/container/sso3/catalina-base/logs/sso3.log.2015-08-18

What logic does LSF use to detect file rotations? These files are unrelated. I'm not 100% exactly how these files are written, I think they just use a java log4j appender to create a new file each day.

If I restart the forwarder, I get the following:

2015/08/18 10:20:07.673736 Launching harvester on new file: /usr/local/appinf/component/container/sso3/catalina-base/logs/sso3.log.2015-08-18
2015/08/18 10:20:07.673973 harvest: (tailing) "/usr/local/appinf/component/container/sso3/catalina-base/logs/sso3.log.2015-08-18" (offset snapshot:18497536)

Edit: In a similar situation, after restarting LSF, I have log lines like the following:

2015/08/18 11:22:59.255307 Not resuming rotated file: /.../VotingPortlet.log
2015/08/18 11:22:59.255320 Launching harvester on new file: /...//VotingPortlet.log

Where it obviously thinks the file is rotated, but then also starts reading it again?!

thanks!


(Tudor Golubenco) #2

Looking at the source code, it considers that a file is an old one renamed if it has the same inode and device. Can you check if that is indeed the case for those files?


(system) #3