DevOps Zone is brought to you in partnership with:

Mark is a graph advocate and field engineer for Neo Technology, the company behind the Neo4j graph database. As a field engineer, Mark helps customers embrace graph data and Neo4j building sophisticated solutions to challenging data problems. When he's not with customers Mark is a developer on Neo4j and writes his experiences of being a graphista on a popular blog at http://markhneedham.com/blog. He tweets at @markhneedham. Mark is a DZone MVB and is not an employee of DZone and has posted 536 posts at DZone. You can read more from them at their website. View Full User Profile

Logstash Not Picking Up Some Files?

09.10.2012
| 5490 views |
  • submit to reddit

We’re using logstash to collect all the logs across the different machines that we use in various environments and had noticed that on some of the nodes log files which we’d told the logstash-client to track weren’t being collected.

We wanted to check what the open file descriptors of logstash-client were so we first had to grab its process id:

$ ps aux | grep logstash
logstash     19896  134  9.1 711404 187768 ?       Ssl  09:13   0:06 java -Xms128m -Xmx256m -jar /var/apps/logstash/logstash-1.1.1-rc2-monolithic.jar agent -f /etc/logstash/logstash-client.conf
root     19910  0.0  0.0   7624   936 pts/1    S+   09:13   0:00 grep --color=auto logstash

And then list the open file descriptors:

$ ls -alh /proc/19896/fd
lr-x------ 1 root root 64 2012-09-07 09:16 9 -> /var/log/syslog
...

That seemed to be restricted to 50 files for some reason so we also tried ‘lsof’:

$ lsof -p 19896
COMMAND   PID USER   FD      TYPE             DEVICE SIZE/OFF    NODE NAME
root    20230 root  txt       REG                8,1    39584   22895 /var/log/syslog
...

Either way we weren’t seeing most of the files we were supposed to be tracking so we put some print statements into the ruby-filewatch gem (which is included in the logstash jar) and redeployed the jar to see if we could figure out what was going on.

Eventually we narrowed it down to the watch.rb file’s _discover_file method which was making a call to Dir.glob and returning an empty array even for some paths which definitely existed.

    def _discover_file(path, initial=false)
      Dir.glob(path).each do |file| # if Dir.glob is empty the file doesn't get watched!
        next if @files.member?(file)
        next unless File.file?(file)

logstash 1.1.1 uses the JRuby 1.6.7 interpreter so we installed that locally to check if we could replicate the problem but we didn’t really end up getting anywhere so we ended up writing some code to work around the problem.

The beginning of the _discover_file method now looks like this:

    def _discover_file(path, initial=false)
      globbed_dirs = Dir.glob(path)
      @logger.debug("_discover_file_glob: #{path}: glob is: #{globbed_dirs}")
      if globbed_dirs.empty? && File.file?(path)
        globbed_dirs = [path]
        @logger.debug("_discover_file_glob: #{path}: glob is: #{globbed_dirs} because glob did not work")
      end
      globbed_dirs.each do |file|
        next if @files.member?(file)
        next unless File.file?(file)
 
        @logger.debug("_discover_file: #{path}: new: #{file} (exclude is #{@exclude.inspect})")
    ...

With this hack we can still ensure that a file will be watched even if Dir.glob returns an empty array.

Published at DZone with permission of Mark Needham, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)