Since upgrading to Spunk 4.2.1 last month, I'm having trouble with logrotate causing our light forwarders to stop monitoring our production logfiles. I've added followTail = 1 and crcSalt = to the inputs.conf file to try to keep Splunk monitoring the file even after it's been truncated to 0 bytes by logrotate, but I'm still seeing this error sporadically:
05-12-2011 04:14:38.564 -0700 WARN FileInputTracker - Hit EOF while computing CRC: totalread=0/thisread=0/shouldread=256/hashbytes=256/fdpos=0
05-12-2011 04:14:39.186 -0700 ERROR TailingProcessor - Ignoring path due to: Could not checksum file='/var/log/mongrel/production.log'.
Here is the relevant section of inputs.conf for this light forwarder:
[monitor:///var/log/mongrel]
blacklist = \.gz$|csv_log|apn
disabled = false
followTail = 1
crcSalt = <SOURCE>
host = app5
sourcetype = Rails
And here is /etc/logrotate.d/mongrel , which controls the rotation of this log:
/var/log/mongrel/*.log {
daily
missingok
dateext
rotate 7
size 500M
compress
notifempty
sharedscripts
extension gz
copytruncate
}
Here's the section of inputs.conf that worked for us under Splunk 4.1:
[monitor:///var/log/mongrel]
blacklist = \.gz$|csv_log|apn
disabled = false
followTail = 0
host = app5
sourcetype = Rails
Restarting splunk causes the file to be monitored again, but I'd like the forwarders to be able to survive the daily log rotation (as they used to with Splunk 4.1.) Any ideas?
... View more