Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Alloy - not scraping logs after log rotation in Windows #2292

Open
umeshvh opened this issue Dec 17, 2024 · 2 comments
Open

Alloy - not scraping logs after log rotation in Windows #2292

umeshvh opened this issue Dec 17, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@umeshvh
Copy link

umeshvh commented Dec 17, 2024

What's wrong?

In Windows, When application logs are rotated, they are not fully scraped. The Alloy agent scrapes logs only from the initial file (e.g., api.log) but misses the newly created file after log rotation is triggered.

Response from Alloy team:

Alloy engineering team confirmed this is an issue with Alloy running on Windows. This was their findings:

On Windows, when the file is deleted the tailer is stopped right away. When the new file is created, it will be picked up by the next sync_period of the local.file_match component. But because the name of the file is the same as the previous one (the one that is cached), it won't propagate the update, resulting in the file not being tailed.

This problem does not happen on Unix systems because it will only stop the tailer when the local.file_match reports that the file is gone and in the meantime it will try to re-open it.

While we continue investigating the problem, a workaround would be to have a different file name for every log rotation.

Steps to reproduce

Set up log rotation with Log4j, where the current log file is closed, compressed, renamed, and a new file is created.
Verify if Loki/Alloy scrapes logs from the new file after log rotation.
We’d appreciate your guidance on resolving this issue to ensure uninterrupted log scraping.

System information

Windows

Software version

Grafana alloy 1.5.1 (Note: 1.3.1 also had similar behaviour)

Configuration

local.file_match "logs_logs_data_APP_A_Logs" {
	path_targets = [{
		__address__ = "localhost",
		__path__    = "C:\\L*\\S*\\Tomcat*\\logs\\*.log",
		application = "APP_A",
		environment = "prod",
		role = "<<ROLE>>",
		hostname    = "<<HOSTNAME>>",
		job         = "APP_A_Tomcat_logs",
		log_type    = "application_logs",
	}]
}
	
	loki.process "logs_logs_data_APP_A_Logs" {
	forward_to = [loki.write.logs_logs_data.receiver]

	stage.match {
		selector = "{application=\"APP_A\"}"

		stage.regex {
			expression = ".*\\\\(?P<file>[^\\\\]+)$"
			source     = "filename"
		}

		stage.labels {
			values = {
				file = null,
			}
		}
	}

	stage.match {
		selector = "{file =~ \"(?i)LS2APP.LOG\"}"
		action   = "drop"
	}

	stage.multiline {
		firstline     = "(?m)^\\d{2}-[A-Za-z]{3}-\\d{4} \\d{2}:\\d{2}:\\d{2}\\.\\d{3}|(?m)^\\d{4}-\\d{2}-\\d{2}[A-Za-z]{1}\\d{2}:\\d{2}:\\d{2}\\,\\d{3}|(?m)^\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}\\.\\d{4}|(?m)^\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}|(?m)\"\"\\d{4}-\\d{2}-\\d{2}_\\d{2}:\\d{2}:\\d{2}\\.\\d{3}|(?m)\\\"\\d{4}-\\d{2}-\\d{2}_\\d{2}:\\d{2}:\\d{2}\\.\\d{3}"
		max_lines     = 0
		max_wait_time = "10s"
	}
}

loki.source.file "logs_logs_data_APP_A_Logs" {
	targets               = local.file_match.logs_logs_data_APP_A_Logs.targets
	forward_to            = [loki.process.logs_logs_data_APP_A_Logs.receiver]
	legacy_positions_file = "c:\\tmp\\positions.yaml"
}

loki.write "logs_logs_data" {
	endpoint {
		url = "http://<<LOKI_SERVER>>:3100/loki/api/v1/push"
	}
	external_labels = {}
}

Logs


@umeshvh umeshvh added the bug Something isn't working label Dec 17, 2024
@dehaansa
Copy link
Contributor

See #2282

@wildum
Copy link
Contributor

wildum commented Jan 23, 2025

Hello @umeshvh, I made a fix for this issue and created a Windows docker image that contains it (it was built from the latest main).
Could you give this image a try and let us know if the problem is fixed and if it behaves as expected?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants