Closed sutyak closed 3 months ago
I´m facing the same issue on different servers
Windows Server
Fluentd
If an external process was opening the file, the update of the storage file would inevitably fail in this way.
It is not nice that the tmp files are left, but basically, it does not harm the operation. (You can remove these orphaned tmp files if the update of the storage file succeeds in the end.)
The storage file is not loaded unless Fluentd is restarted or refresh_subscription_interval
is performed.
If the update succeeds in the end, there will be no impact.
A related issue can be found here: https://github.com/fluent/fluent-plugin-windows-eventlog/issues/57
Hopefully this provides more detail and how to reproduce the issue.
Fluentd version 1.16.1
Describe the bug If the position file is opened by another process, such as an antivirus utility, then the temporary files generated during that time are abandoned and continue to be produced and never cleaned up. Using read all channels this has produced hundreds of thousands of temporary position files that are abandoned. Presumably this is leading to duplicate logs being read and forwarded to the endpoint due to the index not being incremented properly, but have not verifiled this.
To Reproduce The simplest way to reproduce this is to have Notepad lock the file by running from a command prompt: Notepad >> winevt.json
As long as Fluentd is running the temp files will continue to be orphaned until Notepad is closed. Even after Notepad is closed Fluentd does not clean up the files.
Expected behavior Expected behavior is for Fluentd to retry updating the pos file if it is locked by an AV process, and delete abandoned POS temp files once successful.
Configuration:
Fluentd Log (abbreviated)