I am using splunk to monitor Good For Enterprise Messaging Servers. These servers are highly transactional, so the active log is constantly growing. At a certain point, the active log is gzipped and stays in the same directory. I had the Splunk Universal Forwarder monitoring only the specific active log, not the entire directory, since all of the gz are not readable. The following is the Event Viewer message (Omitted specific hostname replaced with *):
logMsgOk - XXXXXXX Error compressing file: P:\Program Files (x86)\Good Technology\Good Messaging Server\logs\GMM-\GMM-.ewssvcs.tmp, Exception: System.IO.IOException: The process cannot access the file 'P:\Program Files (x86)\Good Technology\Good Messaging Server\logs\GMM-\GMM-.ewssvcs.tmp' because it is being used by another process.
   at System.IO.Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
   at System.IO.File.Open(String path, FileMode mode)
   at GoodTech.GFE.Injectable.FileSystemOps.OpenFile(String filePath, FileMode fileMode)
   at GoodTech.GFE.Log.GZipCompress.<>cDisplayClass3.
   at GoodTech.GFE.SafeIOOperation.Do(Action iop, Exception& ex)
This is from the actually messaging server, not the Splunk Server. My concern is that the Universal Forwarder will prevent logs from compressing and cause the storage to be eaten up. I did not notice a drastic increase in storage usage, but that is a concern, as well as possibly crashing the messaging service if this continues to happen. I removed the Universal Forwarder for now, until I can get some answers. These are production servers with close to 2000 users on each, so I don't want to have them failing. I welcome any recommendations that people have for monitoring this specific file without interfering with it compressing.
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		I wonder if using the MonitorNoHandle input processor instead of Monitor would prevent the Forwarder from locking the file?
Monitor files and directories on docs.
