If a log file gets deleted then recreated with the same name, Sumologic performs below checks:
1.) The collector scans the given path expression and looks for any file names that match the path.
2.) For each file found, the Collector opens the file for reading and reads the first 2kb of the file.
3.) That first 2kb of the file is then converted into a fingerprint. Basically a hashed string.
4.) This fingerprint is then compared to a list of known fingerprints we have already found from that Source.
5.) If the fingerprint does not match one in the known list we start reading that file content from the beginning and send it to Sumo. If a matching fingerprint is found in the list then we start reading from the last known byte mark of that file.
So if a File is deleted and a new file is created with the same name. We will read the first 2kb of that new file and compare that against any known fingerprints. As long as the first 2kb of the new file is not the same as the old file we will then read that new file.
You can read more about fingerprints in the below link
Please sign in to leave a comment.