search

vectordotdev / vector

A high-performance observability data pipeline.
https://vector.dev
Mozilla Public License 2.0
18.26k stars 1.61k forks source link

System Logs Not Printing When Vector Agent is Active on Windows Server #21132

Open yasanthae opened 3 months ago

yasanthae commented 3 months ago

A note for the community

Problem

When routing logs from a Windows server to an S3 bucket using Vector, the system logs stop printing to the log file. However, when the Vector agent is stopped, the system logs are printed properly. The expected behavior is for the system logs to continue printing to the log file even while logs are being transferred to the S3 bucket.

Configuration

sources:
  crm_system_logs:
    type: "file" 
    include:
      - "vector\test\path" 
    line_delimiter: "\r\n" 

sinks:
  crm_system_sink:
    type: aws_s3
    inputs:
      - crm_system_logs
    bucket: test-s3-bucket
    key_prefix: service=test_system/date=%F/
    framing:
      method: "newline_delimited" 
    encoding:
      codec: "json"

Version

0.40.0

Debug Output

No response

Example Data

2024-08-22 19:01:03.684 :355 doWork programFullPathToRun:C:\Test\O1HR_Services\test1_HRTask.exe

Additional Context

No response

References

No response

jszwedko commented 3 months ago

What could stop the system from writing logs to the file that Vector is tailing? I'm not super familiar with Windows.

yasanthae commented 3 months ago

What could stop the system from writing logs to the file that Vector is tailing? I'm not super familiar with Windows.

When Vector is running on a Windows server and is configured to ship Windows system logs to AWS S3, the Windows OS does not print logs to the specified path. When Vector is stopped, Windows prints the logs properly.

For example, we are shipping our Windows IIS logs (Log path: %SystemDrive%\inetpub\logs\LogFiles) to an S3 bucket using Vector. When Vector is shipping the logs, Windows IIS correctly writes logs to the specified log path. There is no problem there.

However, imagine I have an HR system with logs located in 'C:\HR\logs'. When I try to ship these logs to S3, the HR system does not print logs to the relevant path while Vector is running.

jszwedko commented 3 months ago

What could stop the system from writing logs to the file that Vector is tailing? I'm not super familiar with Windows.

When Vector is running on a Windows server and is configured to ship Windows system logs to AWS S3, the Windows OS does not print logs to the specified path. When Vector is stopped, Windows prints the logs properly.

For example, we are shipping our Windows IIS logs (Log path: %SystemDrive%\inetpub\logs\LogFiles) to an S3 bucket using Vector. When Vector is shipping the logs, Windows IIS correctly writes logs to the specified log path. There is no problem there.

However, imagine I have an HR system with logs located in 'C:\HR\logs'. When I try to ship these logs to S3, the HR system does not print logs to the relevant path while Vector is running.

Right, I think I understand the behavior you are describing, I just don't understand what on Windows might cause a process to not be able to write to a file while another process has it open 😓