We have a 3rd party service running on Windows machine where we are not allowed to install any extra software to collect the logs. We can however mount the CIFS/SMB shares where the service writes its logs to. I’ve set up a extra RedHat server where I mount all the log-shares and set up sidecar to collect and send the logs from mounted directories to a Graylog server.
This all works fine when first started but after a while the collector server starts to send some of the files over and over again generating millions of lines of logs even though there are not that many new lines in the actual logs. This might have something to do with log rotation happening on the Windows but it is hard to verify. The amount of logs coming in disables the Graylog server as it can’t handle it. I’ve tried both filebeat and nxlog backend but it happens with both, maybe sooner with the filebeat. Local files from the collector server work just fine so this has something to do with the log files being mounted through the CIFS.
Any idea what to try to make this work? Some special settings or perhaps CIFS mount options to try? Or some other setup altogether?