My environment:
Splunk Ver 7.2.3
UF Ver 7.2.3
UF monitors `var/log/messages`, and forward it to Splunk.
But after log rotation at `02-05-2019 00:05:00`, UF no longer forward it.
In internal log, there is message like below.
02-01-2019 00:05:07.503 +0900 ERROR TailReader - File will not be read, is too small to match seekptr checksum (file=/var/log/messages). Last time we saw this initcrc, filename was different. You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source. Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.
But I wonder whether there is a possibility that the rotated file will be the same as the first 256 bytes of the already loaded file (the file one generation ago).
Also another weird thing is that **there is a message that begins reading the file as follows just before crc error**, and the **only first 20 lines** from the beginning of the rotated file have been **indexed in Splunk**.
02-01-2019 00:05:04.500 +0900 INFO WatchedFile - Logfile truncated while open, original pathname file='/var/log/messages', will begin reading from start.
I can't solve it by myself...
**If somebody knows about it, tell me...**
↧