I'm currently using logstash to import dozens of log files from different webapps into Graylog. It works great the files are tagged so I know from wich webapp they originate.
I can't change the webapp thus I can't add a GELF appender to the log4j conf of the webapp. The idea is to periodically retrieve the log files, parse them and import them with logstash into Graylog.
My problem is how do I make sure I don't import a log event I've already imported. For example, I have a log file that has a log pattern that increments: log.1, log.2, etc. So I'll have log events that could be in log.1 the first time and 2 weeks later when I reimport them they'll maybe be in log.3. I'm afraid I can't handle that with logstash's file input "sincedb_path" and "start_position".
So here are a few options I've gathered and I'd like your input about them, if anyone encountered the same issue:
- Use a logstash filter dropping all events before a certain date, requires to keep an index of every last log date of every file imported (potentially 50+) and a lot of configuration writing
- Use of a drool rule in GrayLog to refuse logs with timestamps prior to last log received for a given type
- Ask to change the log pattern to be something like log.date instead of a log pattern that renames files (but I'd rather avoid this one)
- Any other idea?
