Hi using Filebeat 6.2.2 and logrotate.
Logrotate is setup to rotate every 100MB.
When rotation happens we see that the last entry durring rotation gets cut in half. So some of the bytes of the line are in the old file and the rest in the new file.
This single line gets indexed as 2 separate events in ES.
Is there a way to fix this?
That more seems like an issue of the log rotation mechanism. If there are 2 different lines FB will ship it as 2 events.
Ok I'm using DC/OS the DC/OS guys claim they use standard Linux logrotate. Does logrotate truncate a line when it reaches the maximum size?
TBH I don't know. I would recommend to check the rotated log files and see if the messages are truncated.
TBH I would be surprised if logrotate with a default config cuts log lines in half as if this is the case I would expect quite a few more reports of this problem.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.