Reporting

Good for Enterprise Messaging Server Monitoring

stephen_viqueir
Engager

I am using splunk to monitor Good For Enterprise Messaging Servers. These servers are highly transactional, so the active log is constantly growing. At a certain point, the active log is gzipped and stays in the same directory. I had the Splunk Universal Forwarder monitoring only the specific active log, not the entire directory, since all of the gz are not readable. The following is the Event Viewer message (Omitted specific hostname replaced with *):

logMsgOk - XXXXXXX Error compressing file: P:\Program Files (x86)\Good Technology\Good Messaging Server\logs\GMM-\GMM-.ewssvcs.tmp, Exception: System.IO.IOException: The process cannot access the file 'P:\Program Files (x86)\Good Technology\Good Messaging Server\logs\GMM-\GMM-.ewssvcs.tmp' because it is being used by another process.
at System.IO.Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
at System.IO.File.Open(String path, FileMode mode)
at GoodTech.GFE.Injectable.FileSystemOps.OpenFile(String filePath, FileMode fileMode)
at GoodTech.GFE.Log.GZipCompress.<>c
DisplayClass3.b__0()
at GoodTech.GFE.SafeIOOperation.Do(Action iop, Exception& ex)

This is from the actually messaging server, not the Splunk Server. My concern is that the Universal Forwarder will prevent logs from compressing and cause the storage to be eaten up. I did not notice a drastic increase in storage usage, but that is a concern, as well as possibly crashing the messaging service if this continues to happen. I removed the Universal Forwarder for now, until I can get some answers. These are production servers with close to 2000 users on each, so I don't want to have them failing. I welcome any recommendations that people have for monitoring this specific file without interfering with it compressing.

Tags (5)

agoodall_splunk
Splunk Employee
Splunk Employee

I wonder if using the MonitorNoHandle input processor instead of Monitor would prevent the Forwarder from locking the file?

Monitor files and directories on docs.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...