Logstash stuck on file "rotation"

LoZio · June 25, 2019, 7:16am

I'm reading the DNS debug log file from a Windows DNS server.
I can't install any software on the DC, so I resorted to sharing the directory with the logs, mount it on my Linux box, and read/parse it with logstash and file input.
It works until Windows "rotates" the log file. It seems to do so by restarting to write from the beginning, I assume after a truncate type operation. Logstash sits stuck and does not get the new data. If I restart Logstash it restarts ingesting correctly. My input is like:

   input {
      file {
        path => "/mnt/dns/*log"
        start_position => "beginning"
        discover_interval => 120
        stat_interval => 60
        type => "dnslog"
      }
    }

any idea if I can tweak some parameter to catch this kind of "rotation"?
Thanks

LoZio · June 25, 2019, 7:26am

Adding that doing a stat on the log file as seen on the Linux box I get:

Access: 2019-06-21 09:48:36.343135100 +0200
Modify: 2019-06-24 18:32:01.317161900 +0200
Change: 2019-06-24 18:32:01.317161900 +0200

but the file actually contains log from right now (Jun 25). Nevertheless the last ingested in ES was in the night of the first day, that is Jun 22, that is well before the last change recorded by the fs.

system · July 23, 2019, 7:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash holds/locks onto files during files rotation Logstash	4	75	July 27, 2024
How to handle rotated logs Logstash	4	676	October 1, 2020
Logstash file rotation dead time Logstash	1	1115	July 6, 2017
Logstash rotating log - sincedb issue on Windows Logstash	5	1454	March 16, 2017
Inode remaing same - reading old logs. on restart gets new inode on sincedb and get new data Logstash	1	237	November 19, 2020

Logstash stuck on file "rotation"

Related topics