I’m using Collector-sidecar with Nxlog to pull in the localhost_access_logs for a number of Apache Tomcat servers, and for the most part it’s working fine. I’ve noticed an odd behavior for which I’m not sure how long it’s been happening. These are fairly busy Tomcat servers and the behavior I’ve seen a few times of late is that I’ll see a very high volume flood of incoming messages and find that one of these servers has sent in the entirely of a prior days access logs. I have the option “read since start” selected for Nxlog, but as an example I got one of these floods about an hour ago and it sent in the entirety of Thursdays logs. The content of that log file had already been sent in thoughout the day on Thursday. For the Nxlog file input settings I have “save read position” and “read since start” checked.
Has anyone else run in to this?