Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Logstash close file descriptors?

Tags:

elasticsearch

logstash

logstash-grok

logstash-file

BACKGROUND:

We have rsyslog creating log files directories like: /var/log/rsyslog/SERVER-NAME/LOG-DATE/LOG-FILE-NAME So multiple servers are spilling out their logs of different dates to a central location.

Now to read these logs and store them in elasticsearch for analysing I have my logstash config file something like this:

file{
   path => /var/log/rsyslog/**/*.log
}

ISSUE :

Now as number of log files in the directory increase, logstash opens file descriptors (FD) for new files and will not release FDs for already read log files. Since log files are generated per date, once it is read, it is of no use after that since it will not be updated after that date.

I have increased the file openings limit to 65K in /etc/security/limits.conf

Can we make logstash close the handle after some time so that number of file handles opened do not increase too much ??

like image 259
Siddharth Trikha Avatar asked Jun 02 '15 10:06

Siddharth Trikha

People also ask

What is sincedb_ path in Logstash?

sincedb_path is used to persist the in-memory database across restarts. That means that if you set sincedb_path to NUL (on Windows, or /dev/null on UNIX) then when logstash is restarted it thinks every file is new and will re-read it. 2 Likes. system (system) closed January 17, 2022, 8:10pm #3.

Can Logstash read from file?

Logstash Inputs The most common inputs used are file, beats, syslog, http, tcp, ssl (recommended), udp, stdin but you can ingest data from plenty of other sources.

Can Logstash have multiple inputs?

Only use input once.

What is a file descriptor in Linux?

A file descriptor is an unsigned integer used by a process to identify an open file. The number of file descriptors available to a process is limited by the /OPEN_MAX control in the sys/limits. h file. The number of file descriptors is also controlled by the ulimit -n flag.

1 Answers

I think you may have hit this bug: http://github.com/elastic/logstash/issues/1604. Do you have the same symptoms? Exceptions in logs after some time? If you run sudo lsof | grep java | wc -l do you see the descriptors steadily increasing over time? (some of them might close, but some will stay open and their number will increase)

like image 158
Andrei Stefan Avatar answered Sep 30 '22 06:09

Andrei Stefan
Sign in to Comment

Related questions

What different between Master node gateway and other node gateway in elasticsearch? Both of them store meta data, isn't it?
In elasticsearch, must match one of array, with optional extra query term
How to use the official docker elasticsearch container?
Unable to run ElasticSearch as a service on Ubuntu [closed]
Searchkick manually remove specific record Index
Logstash agent not indexing anymore
Kibana equivalent for MongoDB [closed]
elasticsearch remove custom analyzer / filter
How to display values with decimal places in Grafana with elasticsearch datasource?
elasticsearch fail with error "Failed to execute phase [query_fetch], all shards failed"
I don't understand the results that's returning from elasticsearch/haystack
Unit testing elastic search inside Django app
AWS Elasticsearch service: Disable index auto creation (auto_create_index)
How to do a time range search in Kibana

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!