The File follower supports a Recursive flag within the follower directive that tells the file tracking function to recurse into the sub directories and attempt to match the File-Filter globs against all files it sees.
If you are using the file follower ingester on multiple sub folders within a base directory, like the below example, the File follower supports a Recursive flag.
A recursive flag within the follower directive that tells the file tracking function to recurse into the sub directories and attempts to match the File-Filter globs against all files it sees.
Here is an example that would track the above file listing:
[Follower "access example"]
File-Filter="access.log" #we are looking for all dpkg files
When working with recursive followers, pay special attention to the Max-Files-Watched configuration parameter that limits how many active files the follower will track. For example, setting it to 10 means that File Follower will only keep an active inotify watcher on 10 files. We do this because the kernel has pretty strict limits on how many files you can watch. However this does not mean that we'll miss data if you have 20 files. If you set it too low we will "let go" of the oldest files and stop tracking them for changes, if you set it too high (thousands) the process might exceed the kernels max file handle threshold and the kernel will kill the process.
To clarify, we'll detect if you write to one of the files not currently being actively watched, evict the oldest of the existing active watchers, and create a new watcher for the recently-written file. In short, you should generally be able to leave Max-Files-Watched at the default 64; if you're tracking hundreds of files that are all being written frequently, it may be useful to bump that number up, but you'll almost certainly have to change some kernel config params to allow more watchers.