When I use Logstash with the file plugin it reads the log till the point when Logstash discovered the file.
Any updates in the Logs are not tailed and showed
A little explanation from my side.
I use rsync to synchronize logs from 2 servers (Linux) to a local machine (Windows 7) which runs Logstash and Elasticsearch.
Are you appending additional data to the log or modifying lines that may already have been parsed?
Every additional data are new log lines with new timestamps
Below the message from the Logstash Logs
[2019-03-06T09:40:05,165][DEBUG][logstash.instrument.periodicpoller.jvm] collector name {:name=>"ConcurrentMarkSweep"}
[2019-03-06T09:40:08,208][DEBUG][logstash.instrument.periodicpoller.cgroup] One or more required cgroup files or directories not found: /proc/self/cgroup, /sys/fs/cgroup/cpuacct, /sys/fs/cgroup/cpu
[2019-03-06T09:40:09,725][DEBUG][logstash.pipeline ] Pushing flush onto pipeline {:pipeline_id=>"main", :thread=>"#<Thread:0x26e73c45 sleep>"}
The problem is solved.
The issue is within rsync, it does not update the file itself.
When it is synchronizing it is making a duplicate of the existing file as a temp file and adds the extra data to replace the original file.
That's why I needed to restart Logstash to see the updated data
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.