Question about logrotate with gzip

Fedele_Mantuano · December 19, 2016, 9:47am

Hi,

I have a question about the behavior of filebeat with logrotate and gzip.

I had a problem with my logstash server that takes all filebeats events. This logstash was stopped so all filebeats could send logs to it.

These files have been gzipped from logrotate, then I restarted the server and I saw gzipped logs in Elasticsearch. I was surprised.

Can you explain how can filebeat manage these cases?

It's for this?

Each prospector keeps a state for each file it finds. Because files can be renamed or moved, the filename and path are not enough to identify a file. For each file, Filebeat stores unique identifiers to detect whether a file was harvested previously.

Thank you so much

ruflin · December 20, 2016, 8:53am

Filebeat keeps files open until the data is shipped. So I think what happened in your case is that the files were gzip but the unzip files were still around. So when Logstash became available again, the still open files finished shipping. Filebeat currently does not support gzip files, but there is some work done on it: https://github.com/elastic/beats/pull/3070

system · January 9, 2017, 9:47am

This topic was automatically closed after 21 days. New replies are no longer allowed.

Topic		Replies	Views
Filebeats, unable to read all the data from log file Beats filebeat	9	591	November 10, 2022
FIlebeat from a Windows Network Share Beats filebeat	8	9186	July 5, 2017
Working with gzipped files Beats filebeat	2	308	August 25, 2021
Filebeat holding deleted files which consumes disk space Beats filebeat	6	6091	June 27, 2017
Does Filebeat take in logs missed when it is stopped? Beats filebeat	4	493	June 2, 2021

Question about logrotate with gzip

Related Topics