Logstash file Input Plugin to read all files from a directory where log files gets rotated every hour

shadu88 · April 21, 2021, 9:03am

Hello Dear ELkan's
Hope all are doing good!!.
here are details of my query:

Logstash version7.10 on Centos7.8
Using File input plugin to read files and forward logs to other components
Issue Statement : How can i read all file from a directory where .log files are getting rotated every hour without duplicating the data and loose any logs.
File pattern based on time eg. mainlog.log-2021042000
my configurations:
input {
file {
path => "/data/mypath/tologs/mainlog.log"
start_position => "beginning"
sincedb_path => "/etc/logstash/sincedb/null"
}
}
every hour new file is created
mainlog.log-2021042000
mainlog.log-2021042001
mainlog.log-2021042002
mainlog.log-2021042003
mainlog.log-2021042004
mainlog.log-2021042005
mainlog.log-2021042006
mainlog.log-2021042007
mainlog.log-2021042008
mainlog.log-2021042009
mainlog.log-2021042010
mainlog.log-2021042011
mainlog.log-2021042012
mainlog.log-2021042013
mainlog.log-2021042014
mainlog.log-2021042015
mainlog.log-2021042016
mainlog.log-2021042017
mainlog.log-2021042018
mainlog.log-2021042019
mainlog.log-2021042020
mainlog.log-2021042021
mainlog.log-2021042022
mainlog.log-2021042023

I appreciate your inputs on this thank you in advance.
Stay Safe (y)

aaron-nimocks · April 21, 2021, 9:57am

If you did path => "/data/mypath/tologs/mainlog.log-*" it will read all the files and there should be no duplicates as long as the files don't contain duplicates.

This part is telling it to start over from the beginning each time though. So once you get it working I would remove those and Logstash will maintain which logs and which data has been already ingested so it won't grab those again.

start_position => "beginning"
sincedb_path => "/etc/logstash/sincedb/null"

shadu88 · April 22, 2021, 6:10am

Hello Aaron,

Thanks for quick turnaround.
Absolutely path => "/data/mypath/tologs/mainlog.log-*" will include all my log files, but the catch is same logs gets rotated every hour obviously its a duplicate data.
What's your recommendation for my scenario, where log files rotate every one hour.

Thanks Much!!!

Regards,
Shadab

aaron-nimocks · April 22, 2021, 8:41am

I am not sure if there is a way if your logs are creating duplicate data.

shadu88 · April 22, 2021, 11:40am

Currently my configuration is pointing to active file where logging happens actively.
path => "/data/mypath/tologs/mainlog.log" ( im loosing data by this configuration)
while file rotates to next timestamp file
every hour new file is created
mainlog.log-2021042000
mainlog.log-2021042001
mainlog.log-2021042002 etc etc.

system · May 20, 2021, 11:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to prevent Logstash file input duplicate reading with rotating log? Logstash	15	1417	September 6, 2022
Regarding reading files from a directory to which new files are being added continuously after processing all of previous files Logstash	7	1282	July 6, 2017
Rotating File Input Logstash Logstash	1	140	December 19, 2023
File input processing question Logstash	3	1077	July 6, 2017
How To Make File Input Read Entire File Every Time? Logstash	5	4824	July 6, 2017

Logstash file Input Plugin to read all files from a directory where log files gets rotated every hour

Related topics