It seems logstash (technically launched via java) traps the SIGKILL unix signal (ie. kill -9) and tries to shutdown gracefully. However, I have experienced times when it never shuts down.
I suggest that the policy be that if while handing the first SIGKILL another is received, the app simply exit with data loss. Another policy would be to property use SIGINT and/or SIGTERM instead of SIGKILL for graceful exit and SIGKILL for what it is designed for - killing the process. Otherwise, when the process hangs, I can only get rid of it by rebooting the machine.
FYI: I am running pipe plugin as a logstash input with the tail command:
input {
pipe {
add_field => { "source" => "foo.log" }
command => "tail -f ./logs/foo.log"
}
And killing the main process leaves 4 zombies attached to the root pid, so ps -ef | grep java still shows the logstash java process even after several kill -9's.
On the other side, we don't really test in solaris, so can not help much on the behaviour there, might this be related to the way the pipe input you're using works in solaris?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.