Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LS > 1.5.1 double ingestion of log when rotated based on glob path #3674

Closed
thomasquatorze opened this issue Jul 31, 2015 · 10 comments
Closed

LS > 1.5.1 double ingestion of log when rotated based on glob path #3674

thomasquatorze opened this issue Jul 31, 2015 · 10 comments
Assignees
@jsvd
Labels
blocker bug v1.5.4

Comments

@thomasquatorze
Copy link

Starting with LS 1.5.2 logs referenced with a glob path start being ingested a second time as the log is being rotate at 00:00 UTC. sincedb file content initially shows the log (inode 16648175) changing name (access_logstash.log -> access_logstash.log.2015-07-30) but then no longer being tracked. Kibana shows doubling of log volume starting 00:00 UTC the previous day. stopping ls, removing the sincedb file and starting ls resets the problem until the next rotation.

Testing was run on 2 identical systems. The one using no globs in path, did not experience the problem.

os: Ubuntu 12.04.5 LTS (precise)
pkg: logstash_1.5.3-1_all.deb (025e540e9276946871396a739042acbdd93d4e6f)
java: oracle 1.7.0_51

path => "/var/opt/tomcat/tomcat-*/logs/access_logstash.log*"
-----------------------------------------------------------------------------------------

2015-07-30-23:59:55
16648175 0 2054 59565616529 - /var/opt/tomcat/tomcat-8080/logs/access_logstash.log - Bytes/Offset: 59569433018/59565616529
16693500 0 2054 63156842952 - /var/opt/tomcat/tomcat-8080/logs/access_logstash.log.2015-07-29 - Bytes/Offset: 63156842952/63156842952

2015-07-31-00:00:00
16693500 0 2054 63156842952 - /var/opt/tomcat/tomcat-8080/logs/access_logstash.log.2015-07-29 - Bytes/Offset: 63156842952/63156842952
16648175 0 2054 59565616529 - /var/opt/tomcat/tomcat-8080/logs/access_logstash.log.2015-07-30 - Bytes/Offset: 59572896325/59565616529

2015-07-31-00:00:10
16649716 0 2054 5517424     - /var/opt/tomcat/tomcat-8080/logs/access_logstash.log - Bytes/Offset: 8887555/5517424
16693500 0 2054 63156842952 - /var/opt/tomcat/tomcat-8080/logs/access_logstash.log.2015-07-29 - Bytes/Offset: 63156842952/63156842952

path => "/var/opt/tomcat/tomcat-8080/logs/access_logstash.log"
-----------------------------------------------------------------------------------------

2015-07-30-23:59:58
16386949 0 2054 59566214989 - /var/opt/tomcat/tomcat-8080/logs/access_logstash.log - Bytes/Offset: 59576407646/59566214989

2015-07-31-00:00:03
16386949 0 2054 59577724637 - /var/opt/tomcat/tomcat-8080/logs/access_logstash.log.2015-07-30 - Bytes/Offset: 59577724637/59577724637

2015-07-31-00:00:18
16385849 0 2054 12814313    - /var/opt/tomcat/tomcat-8080/logs/access_logstash.log - Bytes/Offset: 15460725/12814313
@suyograo suyograo added the bug label Jul 31, 2015
@thomasquatorze
Copy link
Author

It appears that even a single glob in the filename (no glob in path), still triggers this condition
path => "/var/opt/tomcat/tomcat-8080/logs/access_logstash.log*"

@thomasquatorze
Copy link
Author

To easily reproduce the problem with basic file input/output (used logstash 1.5.2):

input {
  file {
    path => "/var/tmp/access_log.*"
  }
}

output {
  file {
    path => "/var/tmp/access_log_output.log"
  }
}

And generating logs slowly so as to give logstash time to discover new logs (default discover_interval 15 seconds)

#!/usr/bin/env bash

LOGFILE="/var/tmp/access_log.log"

for ((x=1;x<=30;x++)) ; do
  echo "logging some data ${x}" >> ${LOGFILE}
  sleep 1
  if [ ${x} == 15 ] ; then
   mv ${LOGFILE} ${LOGFILE}.`date '+%Y.%M.%d.%H-%M-%S'`
  fi
done

Data written to 1st log (that is rotated) is output-ed twice to output log.

count  log
-----  -----------------------------------
15     /var/tmp/access_log.log
15     /var/tmp/access_log.log.2015.22.03.16-22-13
45     /var/tmp/access_log_output.log

@jsvd
Copy link
Member

jsvd commented Aug 6, 2015

This bug was introduced with jordansissel/ruby-filewatch#51
The reason behind the PR was that deleting a file then creating a new one could render the new file invisible to filewatch if it ended up with the same inode number.
I need to run some tests but we need to reverse that patch in some way, as this is a critical bug.

@jsvd jsvd mentioned this issue Aug 10, 2015
Merged
@jsvd
Copy link
Member

jsvd commented Aug 11, 2015

After merging the filewatch PR we still need to release a new version of the filewatch library and then update the .lock file for the 1.5.4 release

@jsvd
Copy link
Member

jsvd commented Aug 11, 2015

Filewatch 0.6.5 has been released with a fix for this.
I have created a pr to force its use in logstash-input-file logstash-plugins/logstash-input-file#64

@jsvd
Copy link
Member

jsvd commented Aug 12, 2015

logstash-input-file 1.0.1 has been released, needs to be included in the next release of logstash (1.5.4)

@thomasquatorze
Copy link
Author

manually installing logstash-input-file 1.0.1 plugin in logstash 1.5.2 appears to resolve the issue when running the test detailed in #3674 (comment). I'll run a production test to validate fix with tomcat logs rotated by tomcat at 00:00 UTC

@jsvd
Copy link
Member

jsvd commented Aug 14, 2015

Thank you for testing this @thomasquatorze

@thomasquatorze
Copy link
Author

Updated the logstash-input-file plugin to 1.0.1 on a production host running logstash 1.5.3 and it properly handled log rotation by tomcat/log4j at 00:00 UTC. This issue appears to be resolved. Thanks

@jsvd
Copy link
Member

jsvd commented Aug 19, 2015

Thank you again! this will be included in 1.5.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsvd jsvd

Labels
blocker bug v1.5.4
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jsvd @suyograo @thomasquatorze