Eitan, My recommendation is to use the stdin input in logstash and avoid its file input. Then, for testing you pipe the file into your logstash instance. But in production, you should run the GNU version of *tail -F* (uppercase F option) to correctly follow all forms of rotated logs, and the pipe that output into your logstash instance.
I don't know just how robust logstash's file input is, but the GNU version of tail with the -F option is perfect, so there's no guesswork and no dependency on hope. Note that even Splunk has a currently open bug with losing data while trying to follow a rotated file. Also, I added the multiline processing to the filters; it didn't seem to work when applied as a stdin codec. Now it works very well together. Anyway, that's what our group is doing. And yes, the logstash-users <https://groups.google.com/forum/#!forum/logstash-users> group is also rather active and is a good place for logstash-specific help. Brian -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/9bbe59f4-93f1-4b59-8258-89301a8c5469%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
