grok pauses or gets stuck while processing a log file with follow: true

Question

grok pauses or gets stuck while processing a log file with follow: true

nareshov opened this issue 14 years ago · 0 comments

grok script used:

program {
  load-patterns: "patterns/base"
  load-patterns: "patterns/linux-syslog"
  load-patterns: "patterns/postfix"
#  exec "grep outbound- /var/log/maillog"
#  file "/var/log/maillog.1" {
  file "/var/lib/hadoop-0.20/ajay.m/maillog.1" {
    follow: true
  }

  match {
    pattern: "%{POSTFIXSMTPLOG}"
    #reaction: "%{QUEUEID}: %{logsource} %{to} %{relay} got response: %{reason}"
    reaction: "%{QUEUEID}: %{logsource} %{to} via %{relay}"
  }
}

Input logs which match the pattern look like:

Mar 26 04:02:11 outbound-us2 postfix/smtp[23113]: 3C8C7ED4D11: to=, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.6, status=bounced (mail for domain.com loops back to myself)

postfix patterns used: https://gist.github.com/be1b531485eaca695ab7
(markdown was eating up line 4, hence gisted)

Without follow: true, the grok script returns.