I have a fairly high-volume log file source (Varnish) that I'm trying to push into ES.
What I'm seeing, is FileBeat seems to start logging every hour, roughly on the hour, but only for a few minutes (seems to vary between 5 and 20 minutes). Then it goes mostly quiet until the next hour.
That felt to me like a log-rotation problem, but I thought Filebeat would keep an eye on a file that was rotated out the way?
I am rotating hourly:
/var/log/varnish/varnishncsa.log {
rotate 4
hourly
missingok
notifempty
sharedscripts
nocompress
postrotate
/bin/kill -HUP `cat /var/run/varnishlog.pid 2>/dev/null` 2> /dev/null || true
/bin/kill -HUP `cat /var/run/varnishncsa.pid 2>/dev/null` 2> /dev/null || true
endscript
}
And my Prospector is setup like this:
filebeat.prospectors:
-
type: log
document_type: varnish
close_inactive: 1m
ignore_older: 15m
paths:
- /var/log/varnish/varnishncsa.log
json.keys_under_root: true
json.add_error_key: true
json.overwrite_keys: true
output.elasticsearch:
index: "varnish-%{+yyyy.MM.dd}"
pipeline: varnish
bulk_max_size: 2000
template.enabled: false
hosts: ["https://mycluster.eu-west-1.aws.found.io:9243"]
username: ""
password: ""
compression_level: 9
I used close_inactive:1m because as per the docs, that is much longer than the gap between events, and ignore_older:15m because I don't want to rescan old files after a FileBeat restart.