Search code examples
linuxloggingelasticsearchlogstashoracle-enterprise-linux

Logstash creating directory too early


I have my logstash instance create a new directory everyday to store its logs. The config file is below. It seems to create a directory (and start using it) in the evening a day early; as opposed to creating it right after midnight (when the date actually changes). I am on the West coast (UTC−08:00). I am on an OEL os.

Configuration:

input {
  udp {
    port => 6379
  }
}

filter {
  ruby {
    code => "event['@timestamp'] = event['@timestamp'].localtime('-08:00')"
    }
}

output {
  file {
    path => ["/logstash-1.4.1/logs/%{+YYYY-MM-dd}/logstash_in.txt"]
  }
  elasticsearch {
    protocol => http
  }
  stdout {
    codec => rubydebug
  }
}

My system date and time are correct:

[root@xxx]# date
Mon Jul 14 18:22:37 PDT 2014

Solution

  • For short answer, the file output path timestamp %{+YYYY-MM-dd} is refer to UTC time. That's means your directory will be create at your evening time.

    For long answer, you can refer to the file output source code. The path is

    path = event.sprintf(@path)
    

    And drill down to the event.rb

    t = @data["@timestamp"]
    formatter = org.joda.time.format.DateTimeFormat.forPattern(key[1 .. -1])\
      .withZone(org.joda.time.DateTimeZone::UTC)
    #next org.joda.time.Instant.new(t.tv_sec * 1000 + t.tv_usec / 1000).toDateTime.toString(formatter)
    # Invoke a specific Instant constructor to avoid this warning in JRuby
    #  > ambiguous Java methods found, using org.joda.time.Instant(long)
    org.joda.time.Instant.java_class.constructor(Java::long).new_instance(
      t.tv_sec * 1000 + t.tv_usec / 1000
    ).to_java.toDateTime.toString(formatter)
    

    The path paramter %{+YYYY-MM-dd} is based on the UTC time: (org.joda.time.DateTimeZone::UTC).

    So, there are two solution to do what you need,

    a) Modify event.rb to use your timezone, instead of UTC.

    b) Create a your own day field and use that field you specific %{+YYYY-MM-dd} Here is my configuration:

    filter {
        ruby {
            code => "
                ownTime = event['@timestamp'].localtime('-08:00')
                event['day'] = ownTime.strftime('%Y-%m-%d')
            "
        }
    }
    
    output {
        file {
                path => "/logstash-1.4.1/logs/%{day}/logstash_in.txt"
        }
        stdout {
                codec => "rubydebug"
        }
    }
    

    Hope this can help you.