Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            I have multiple sub folders within a base directory that I want to pull logs from. Do I need to setup multiple followers or can I do that under a single follower?

            Modified on Fri, 17 Nov 2023 at 10:14 AM

            The File follower supports a Recursive flag within the follower directive that tells the file tracking function to recurse into the sub-directories and attempt to match the File-Filter globs against all files it sees.

            If you are using the file follower ingester on multiple subfolders within a base directory, like the below example, the File follower supports a Recursive flag.
            /basedir/sub1/access.log

            /basedir/sub2/access.log

            /basedir/sub3/access.log
            A recursive flag within the follower directive tells the file tracking function to recurse into the subdirectories and attempts to match the File-Filter globs against all files it sees.
            Here is an example that would track the above file listing:
            [Follower "access example"]
                Base-Directory="/basedir"

                Recursive=true
                File-Filter="access.log" #we are looking for all dpkg files
                Tag-Name=access
            When working with recursive followers, pay special attention to the Max-Files-Watched configuration parameter that limits how many active files the follower will track. For example, setting it to 10 means that File Follower will only keep an active inotify watcher on 10 files. We do this because the kernel has pretty strict limits on how many files you can watch. However, this does not mean that we'll miss data if you have 20 files. If you set it too low we will "let go" of the oldest files and stop tracking them for changes, if you set it too high (thousands) the process might exceed the kernel's max file handle threshold and the kernel will kill the process.

            To clarify, we'll detect if you write to one of the files not currently being actively watched, evict the oldest of the existing active watchers, and create a new watcher for the recently-written file. In short, you should generally be able to leave Max-Files-Watched at the default 64; if you're tracking hundreds of files that are all being written frequently, it may be useful to bump that number up, but you'll almost certainly have to change some kernel config params to allow more watchers.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select atleast one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0