search

fluent-plugins-nursery / fluent-plugin-systemd

This is a fluentd input plugin. It reads logs from the systemd journal.
Apache License 2.0
153 stars 43 forks source link

Journal files are kept open after rotation (deletion) #34

Closed fabianmenges closed 7 years ago

fabianmenges commented 7 years ago

I'm using fluent-plugin-systemd with log rotation and old (deleted) log files are kept open. 

 lsof -a +L1
COMMAND    PID     USER   FD   TYPE DEVICE  SIZE/OFF NLINK     NODE NAME
ruby    111608 td-agent   10w   REG  202,1     37751     0 26637960 /var/log/td-agent/td-agent.log-20170504 (deleted)
ruby    111613 td-agent   11r   REG  202,1 134033408     0 26609659 /var/log/journal/0af04d3c78a943ae8f3cc26602e374f2/system@a8dc4a3e32d2413aa4d673232c12f111-00000000000cf94f-00054ea107e4faf7.journal (deleted)
ruby    111613 td-agent   12r   REG  202,1 134033408     0 26609660 /var/log/journal/0af04d3c78a943ae8f3cc26602e374f2/system@4488e800e4f740b381f1a39009f9d7b4-0000000000051325-00054dd86a499acc.journal (deleted)
ruby    111613 td-agent   13r   REG  202,1 134033408     0 26609667 /var/log/journal/0af04d3c78a943ae8f3cc26602e374f2/system@4488e800e4f740b381f1a39009f9d7b4-0000000000079cec-00054de0df71286f.journal (deleted)
ruby    111613 td-agent   15r   REG  202,1  67108864     0 26609668 /var/log/journal/0af04d3c78a943ae8f3cc26602e374f2/system@00054e2a6bb74c97-f4b1527a627c7fd5.journal~ (deleted)
ruby    111613 td-agent   16r   REG  202,1 134033408     0 26609669 /var/log/journal/0af04d3c78a943ae8f3cc26602e374f2/system@a8dc4a3e32d2413aa4d673232c12f111-0000000000000001-00054e2a6bb784fe.journal (deleted)
ruby    111613 td-agent   17r   REG  202,1   8388608     0 26609633 /var/log/journal/0af04d3c78a943ae8f3cc26602e374f2/user-33917@c7e514a07ad4430baefc241e8b1fd515-000000000000045e-00054e2b42965f10.journal (deleted)
ruby    111613 td-agent   18r   REG  202,1 134033408     0 26609674 /var/log/journal/0af04d3c78a943ae8f3cc26602e374f2/system@a8dc4a3e32d2413aa4d673232c12f111-0000000000029b97-00054e566e8d4d37.journal (deleted)
ruby    111613 td-agent   19r   REG  202,1 134033408     0 26609662 /var/log/journal/0af04d3c78a943ae8f3cc26602e374f2/system@a8dc4a3e32d2413aa4d673232c12f111-0000000000053e52-00054e704583341b.journal (deleted)
ruby    111613 td-agent   20r   REG  202,1 134033408     0 26609651 /var/log/journal/0af04d3c78a943ae8f3cc26602e374f2/system@a8dc4a3e32d2413aa4d673232c12f111-000000000007e03f-00054e8a0ceeabc9.journal (deleted)
ruby    111613 td-agent   21r   REG  202,1 134033408     0 26609641 /var/log/journal/0af04d3c78a943ae8f3cc26602e374f2/system@a8dc4a3e32d2413aa4d673232c12f111-00000000000a70a3-00054e972f909dd8.journal (deleted)
ruby    111613 td-agent   22r   REG  202,1 134033408     0 26609636 /var/log/journal/0af04d3c78a943ae8f3cc26602e374f2/system@a8dc4a3e32d2413aa4d673232c12f111-00000000000f8dd9-00054eb679545b67.journal (deleted)
ruby    111613 td-agent   23r   REG  202,1   8388608     0 26608856 /var/log/journal/0af04d3c78a943ae8f3cc26602e374f2/user-33917@c7e514a07ad4430baefc241e8b1fd515-00000000000cec2f-00054ea0d69c6a7d.journal (deleted)
ruby    111613 td-agent   24r   REG  202,1   8388608     0 26609664 /var/log/journal/0af04d3c78a943ae8f3cc26602e374f2/user-33917@c7e514a07ad4430baefc241e8b1fd515-00000000000d29ef-00054ea1c93d215f.journal (deleted)
ruby    111613 td-agent   25r   REG  202,1 134033408     0 26609665 /var/log/journal/0af04d3c78a943ae8f3cc26602e374f2/system@a8dc4a3e32d2413aa4d673232c12f111-0000000000122863-00054ecd501586e2.journal (deleted)
ruby    111613 td-agent   27r   REG  202,1   8388608     0 26637962 /var/log/journal/0af04d3c78a943ae8f3cc26602e374f2/user-33917@c7e514a07ad4430baefc241e8b1fd515-0000000000000000-0000000000000000.journal (deleted)

This is my configuration:

      <source>
        @type systemd
        path /var/log/journal
        filters [{"SYSLOG_IDENTIFIER": "sshd" }, {"SYSLOG_IDENTIFIER": "sudo" }]
        <storage>
          @type local
          persistent true
          path /etc/td-agent/cursor/login_audit
        </storage>
        tag login_audit
        read_from_head true
      </source>
errm commented 7 years ago

which version of the plugin are you using?

fabianmenges commented 7 years ago

Version 0.2.0

sudo /usr/sbin/td-agent-gem list fluent-plugin-systemd

*** LOCAL GEMS ***

fluent-plugin-systemd (0.2.0)
ewolinetz commented 6 years ago

We are experiencing this using release 0.0.9. Would it be possible to get a cherry pick of this fix to the 0.0.x branch?