Logstash stuck on file "rotation"

LoZio · June 25, 2019, 7:16am

I'm reading the DNS debug log file from a Windows DNS server.
I can't install any software on the DC, so I resorted to sharing the directory with the logs, mount it on my Linux box, and read/parse it with logstash and file input.
It works until Windows "rotates" the log file. It seems to do so by restarting to write from the beginning, I assume after a truncate type operation. Logstash sits stuck and does not get the new data. If I restart Logstash it restarts ingesting correctly. My input is like:

   input {
      file {
        path => "/mnt/dns/*log"
        start_position => "beginning"
        discover_interval => 120
        stat_interval => 60
        type => "dnslog"
      }
    }

any idea if I can tweak some parameter to catch this kind of "rotation"?
Thanks

LoZio · June 25, 2019, 7:26am

Adding that doing a stat on the log file as seen on the Linux box I get:

Access: 2019-06-21 09:48:36.343135100 +0200
Modify: 2019-06-24 18:32:01.317161900 +0200
Change: 2019-06-24 18:32:01.317161900 +0200

but the file actually contains log from right now (Jun 25). Nevertheless the last ingested in ES was in the night of the first day, that is Jun 22, that is well before the last change recorded by the fs.

system · July 23, 2019, 7:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.