seekfiles ignored after server reboot

[nicutor]

Hi,

I gave a reboot to the server and even if the seekfile was there, the logfile was fully processed again.

$protocolsdir = '/usr/local/test/tmp/logfiles';
$seekfilesdir = '/usr/local/test/tmp/logfiles';
$protocolretention = '30';
$scriptpath = '/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/local/test/bin';
$options = 'preview=1';

@searches = (
  {
    tag => 'test',
    logfile => '/usr/local/test/logs/test_log',
    criticalpatterns => [
      '\{test\}'
    ],
    options => 'nologfilenocry,nosavethresholdcount,maxlength=1024,allyoucaneat,criticalthreshold=1,script',
    script => 'logfiles_test.sh'
  }
);

Because of this, the script was run again even if was not supposed to do so.

Is this the normal behaviour? I am missing something? Shouldn't the seekfile be used all the time if exists?

Thank you.

[lausser]

You should run it with "-v", then you see some internals, especially how the plugin sees a changed logfile. Von: Nicu B ***@***.*** Gesendet: Donnerstag, 20. Januar 2022 10:01 An: lausser/check_logfiles ***@***.***> Cc: Subscribed ***@***.***> Betreff: [lausser/check_logfiles] seekfilesdir ignored after server reboot (Issue #65) Hi, I gave a reboot to the server and even if the seekfile was there, the logfile was fully processed again. $protocolsdir = '/usr/local/test/tmp/logfiles'; $seekfilesdir = '/usr/local/test/tmp/logfiles'; $protocolretention = '30'; $scriptpath = '/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/local/test/bin'; $options = 'preview=1'; @searches = ( { tag => 'test', logfile => '/usr/local/test/logs/test_log', criticalpatterns => [ '\{test\}' ], options => 'nologfilenocry,nosavethresholdcount,maxlength=1024,allyoucaneat,criticalthreshold=1,script', script => 'logfiles_test.sh' } ); Because of this, the script was run again even if was not supposed to do so. Is this the normal behaviour? I am missing something? Shouldn't the seekfile be used all the time if exists? Thank you. — Reply to this email directly, view it on GitHub <#65> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABQSOG4Q7UQHRY4XGEWZL3UW7FL5ANCNFSM5MMETUXA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> . You are receiving this because you are subscribed to this thread. <https://github.com/notifications/beacon/AABQSOCEYSQXVIYCVEYGQWTUW7FL5A5CNFSM5MMETUXKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4QQ2QSKQ.gif> Message ID: ***@***.*** ***@***.***> >

[hpreusse]

Same issue here, the "check_logfiles -v" is attached. Striking is the message

Fri Jan 28 15:47:23 2022: this is not the same logfile /appl/laugh/test.log 64774:4163772 != 64770:4163772

check_logfiles thinks that this is a new file due to the changing device id. Informations about the system: this is a KVM VM, file system is xfs and we're using LVM. The changing device id's are visible in the seek file (parameter "devino"). How can we avoid that then device id's are read and used to recognize the log file? Thanks!

changing_device_id.log

[hpreusse]

Another remark: the elastic people have similar issues, here the file identity strategy can be configured.

[lausser]

I just made check_logfiles-4.0.1.3.tar.gz It adds an option ramdomdevno, which ignores the device number and only looks at the inode. Von: hpreusse ***@***.*** Gesendet: Freitag, 28. Januar 2022 16:53 An: lausser/check_logfiles ***@***.***> Cc: Gerhard Lausser ***@***.***>; Comment ***@***.***> Betreff: Re: [lausser/check_logfiles] seekfiles ignored after server reboot (Issue #65) Same issue here, the "check_logfiles -v" is attached. Striking is the message Fri Jan 28 15:47:23 2022: this is not the same logfile /appl/laugh/test.log 64774:4163772 != 64770:4163772 check_logfiles thinks that this is a new file due to the changing device id. Informations about the system: this is a KVM VM, file system is xfs and we're using LVM. The changing device id's are visible in the seek file (parameter devino). How can we avoid that then device id's are read and used to recognize the log file? Thanks! changing_device_id.log <https://github.com/lausser/check_logfiles/files/7959928/changing_device_id.log> — Reply to this email directly, view it on GitHub <#65 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABQSOEM4IRWJFAFAWAJ53LUYK3VZANCNFSM5MMETUXA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> . You are receiving this because you commented.Message ID: ***@***.***>

[hpreusse]

Sorry, I'm to stupid to use that option. What am I doing wrong? ramdomdevno does not work either although the commit c29c3d4 gives the idea that correct option name is randomdevno. Thanks!

[icinga@hostname ~]$ /opt/laugh/icinga/scripts/check_logfiles_v4.0.1.3 -v '--criticalpattern' 'error|fehler' '--logfile' '/appl/laugh/test.log' '--warningpattern' 'warning|warnung'                                                          Mon Jan 31 21:16:53 2022: ==================== /appl/laugh/test.log ==================
Mon Jan 31 21:16:53 2022: try pre2seekfile /var/tmp/check_logfiles/check_logfiles.test.log.seek instead
Mon Jan 31 21:16:53 2022: try pre3seekfile /tmp/check_logfiles._appl_laugh_test.log.seek instead
Mon Jan 31 21:16:53 2022: no seekfile /var/tmp/check_logfiles/check_logfiles._appl_laugh_test.log.seek found
Mon Jan 31 21:16:53 2022: but logfile /appl/laugh/test.log found
Mon Jan 31 21:16:53 2022: ILS lastlogfile = /appl/laugh/test.log
Mon Jan 31 21:16:53 2022: ILS lastoffset = 119 / lasttime = 0 (Thu Jan  1 01:00:00 1970) / inode = 64770:4163772
Mon Jan 31 21:16:53 2022: the logfile did not change
Mon Jan 31 21:16:53 2022: keeping position 119 and time 0 (Thu Jan  1 01:00:00 1970) for inode 64770:4163772 in mind
OK - no errors or warnings|'default_lines'=0 'default_warnings'=0 'default_criticals'=0 'default_unknowns'=0
[icinga@hostname ~]$ /opt/laugh/icinga/scripts/check_logfiles_v4.0.1.3 -v '--criticalpattern' 'error|fehler' '--logfile' '/appl/laugh/test.log' '--warningpattern' 'warning|warnung' --randomdevno
Unknown option: randomdevno
<snip>
[icinga@hostname ~]$ /opt/laugh/icinga/scripts/check_logfiles_v4.0.1.3 -version
check_logfiles_v4.0.1.3 v4.0.1.3

[hpreusse]

I can confirm that version 4.1 (when using the option --randomdevno) solves the issue for me. Many thanks!