Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why copytruncate logrotate does not play well with splunk monitoring

yannK
Splunk Employee
Splunk Employee
‎11-05-2014 02:54 AM

I am using logrotate to rotate my files, with the option copytruncate.
http://linuxcommand.org/man_pages/logrotate8.html
And It is causing splunk to reindex the file during the rotation.

see my rotate script /etc/logrotate.d/test

"/home/feed/test.log" { 
rotate 5 
size=50M 
sharedscripts 
copytruncate 
compress 
}

What happens is :
- the rotation creates a new rotated file. (test.log.1)
- the rotation copy the content of the file to the new file (from line 1 to line X), then compress it.
- the rotation then truncates the original file by removing the first lines per chunks, until reaching the line X.

At the same time, splunk is monitoring the file, and check the first 256 chars for the crc.
- during the truncate, because the first lines are changing, splunk redetect the file as new, and reindex it all.
- we find duplicates of the lines, the first lines with fewer duplicates, the last lines with more duplicates.

How to identify the issue :
- look for duplicates and the time when they were generated. (not the event timestamp)
source=path/to/my/logfile | convert ctime(_indextime) AS indextime| stats count values(indextime) AS indextime by _raw | where count >1
- at the time of the rotation, look on the forwarder splunkd.log, check for multiple events like :
11-05-2014 10:48:33.924 +0000 INFO WatchedFile - Will begin reading at offset=0 for file='/home/feed/test.log
11-05-2014 10:48:34.234 +0000 INFO WatchedFile - Will begin reading at offset=0 for file='/home/feed/test.log
etc...

Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-05-2014 03:04 AM

The workarounds I found are :
A - replace the copytruncate rotation by a move rotation .
It may not always be a solution, some applications are pretty limited and need to keep the handle of the log file always open.

B- disable the monitoring just before the rotation.

The idea is to disable the monitoring before the rotation and re-enable it just after.
using the logrotate options. Splunk will simply detect the new files, and resume.

Here is my configuration :

  • Inputs.conf in splunk in a specific app "input_rotate"
    cat ./opt/splunk/etc/apps/input_rotate/local/inputs.conf

    [monitor://home/feed/.log]
    disabled = false

    add additional parameters

  • logrotate script /etc/logrotate.d/test

    "/home/feed/test.log" { 
rotate 5 
size=50M
sharedscripts 
copytruncate 
compress 
prerotate 
/opt/splunk/bin/splunk disable app input_rotate -auth admin:changeme 
endscript 
postrotate 
/opt/splunk/bin/splunk enable app input_rotate -auth admin:changeme 
endscript 
}

Remarks :

  • you may want to adapt to your own monitor inputs.
  • if you prefer to disable only one input, instead of the app.

/opt/splunk/bin/splunk edit monitor "/home/feed/*.log*" -disabled true -auth admin:changeme

  • the path to the splunk CLI has to be adapted to your forwarder path.
  • it is important to monitoring the rotated/compressed version of the log file to avoid missing events.(my log.log* instead of just my log.log) Otherwise the last events before and during the copytruncate are lost. The splunk init crc will prevent the rotated versions to generate duplicates. you can compare the source to see from which file the events were monitored.

View solution in original post

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...