The tail input plugin allows to monitor one or several text files. It has a similar behavior like
tail -fshell command.
The plugin reads every matched file in the
Pathpattern and for every new line found (separated by a ), it generates a new record. Optionally a database file can be used so the plugin can have a history of tracked files and a state of offsets, this is very useful to resume a state if the service is restarted.
The plugin supports the following configuration parameters:
Note that if the database parameter
DBis not specified, by default the plugin will start reading each target file from the beginning. This also might cause some unwanted behavior, for example when a line is bigger that
Skip_Long_Linesis not turned on, the file will be read from the beginning of each
Refresh_Intervaluntil the file is rotated.
Starting from Fluent Bit v1.8 we have introduced a new Multiline core functionality. For Tail input plugin, it means that now it supports the old configuration mechanism but also the new one. In order to avoid breaking changes, we will keep both but encourage our users to use the latest one. We will call the two mechanisms as:
- Multiline Core
- Old Multiline
The new multiline core is exposed by the following configuration:
As stated in the Multiline Parser documentation, now we provide built-in configuration modes. Note that when using a new
multiline.parserdefinition, you must disable the old configuration from your tail section like:
If you are running Fluent Bit to process logs coming from containers like Docker or CRI, you can use the new built-in modes for such purposes. This will help to reassembly multiline messages originally split by Docker or CRI:
multiline.parser docker, cri
multiline.parser: docker, cri
The two options separated by a comma means multi-format: try
We are still working on extending support to do multiline for nested stack traces and such. Over the Fluent Bit v1.8.x release cycle we will be updating the documentation.
For the old multiline configuration, the following options exist to configure the handling of multilines logs:
Docker mode exists to recombine JSON log lines split by the Docker daemon due to its line length limit. To use this feature, configure the tail plugin with the corresponding parser and then enable Docker mode:
In order to tail text or log files, you can run the plugin from the command line or through the configuration file:
From the command line you can let Fluent Bit parse text files with the following options:
$ fluent-bit -i tail -p path=/var/log/syslog -o stdout