Beats: Strange filebeat + logstash behaviour leading to truncated content

Created on 13 Oct 2016 · 5Comments · Source: elastic/beats

We have the following setup:

Log Producers
PHP scripts write to timestamp named files, using:
file_put_contents($filename, $content, FILE_APPEND | LOCK_EX);, where $content always ends with PHP_EOL, and $filename is 'filename' . $now->format('Ymd') . '.log'.

Generic logging tools like cronolog write to files, being run:
cronolog /var/log/filename.%Y%m%d.log.

Collector
Filebeat 1.2.2 (previously we had similar issues with logstash 1.4), configured with:


---
filebeat:
  prospectors:
  - paths:
    - "/var/log/*.log"
output:
  logstash:
    hosts:
    - logstash:3000

Issue
Randomly, every time the file name changes (after midnight), in the first few tens lines, we see one broken line. The broken lines truncate the content from the middle to the end, for example, instead of:

{"value": "I am a full json", "context": 3}

we see

son", "context": 3}

Let us know what other details do you need.

Filebeat bug

Source

alexef

Most helpful comment

More than 10 days after the switch to 5.0, we don't see the broken lines - I would say the upgrade fixed it.

alexef on 24 Oct 2016

🎉2

All 5 comments

@ruflin we talked briefly about our issue at the Elasticsearch Meetup. We're currently migrating to filebeat 5.0.0 hoping this will fix the issue.

alexef on 13 Oct 2016

Thanks for trying 5.0, let us know please if it fixes the issue.

tsg on 13 Oct 2016

More than 10 days after the switch to 5.0, we don't see the broken lines - I would say the upgrade fixed it.

alexef on 24 Oct 2016

🎉2

Thanks @alexef for coming back with the confirmation. I'm going to close it in this case.

tsg on 24 Oct 2016

👍1

@alexef Glad to hear that the 5.0 release fixes this. I suggest we close this issues as there are no bug fix releases planned for the 1.2 release.