Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation for reading rotated logs using file log receiver #34833

Open
zekai-rai opened this issue Aug 23, 2024 · 2 comments
Open

Documentation for reading rotated logs using file log receiver #34833

zekai-rai opened this issue Aug 23, 2024 · 2 comments
Labels
documentation Improvements or additions to documentation needs triage New item requiring triage question Further information is requested receiver/filelog

Comments

@zekai-rai
Copy link

Component(s)

receiver/filelog

Describe the issue you're reporting

The readme page of the file log receiver states that "File Log Receiver can read files that are being rotated." I am trying to read more about how it's done and whether there are any limitations.

Using Logrotate, for example, when rotating logs using create mode, it rotates the main log file by renaming the original one and creating a new one under the original name. If the process is actively writing to it while the file being rotated. Log might continue writing to the already rotated file. In a case like that,

  1. Should filelog receiver be configured to read from all logs -- main log and rotated logs? I suppose so. If not, filelog receiver will miss some logs.
  2. How does filelog receiver avoid reading duplicated content from the rotated files? It relies on the fingerprint setting.
  3. If yes to 2, does using fingerprint and reading from all logs add much burden to the pipeline?

This is probably a question for stackoverflow, but I either way, I would like some pointers to read more about the supporting of reading rotated files in general. Thank you.
@zekai-rai zekai-rai added the needs triage New item requiring triage label Aug 23, 2024
@github-actions GitHub Actions
Copy link
Contributor

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@crobert-1 crobert-1 added question Further information is requested documentation Improvements or additions to documentation labels Aug 23, 2024
This was referenced Aug 27, 2024
Closed
Closed
@djaglowski
Copy link
Member

There is some detailed documentation here which you may find helpful.

In general, the design tries to make minimal assumptions about log rotation mechanics and instead relies on identifying files based on the first N bytes of the file, which should not change under rotation. (So the assumption is just that log files are append-only.)

rotates the main log file by renaming the original one and creating a new one under the original name. If the process is actively writing to it while the file being rotated. Log might continue writing to the already rotated file. In a case like that,

On nix systems, we keep file handles open in between polls. Then we check if the same file was not found in the most recent poll. If not found, then we read the remainder of the file before closing it. This works quite well to ensure that files are consumed completely even in the scenario you describe. In theory, it's possible that a delayed write to the file may be missed, but at some point we must stop watching files that are moved out of the matching pattern.

This was referenced Sep 10, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation needs triage New item requiring triage question Further information is requested receiver/filelog
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@djaglowski @crobert-1 @zekai-rai