AWS Cloudwatch - spamming of Fallback messages

Just recently we have a webserver cluster having disk space issues, and it's the awslogs.log file. These are all Ubuntu 20.04 LTS servers, and recently the drives are filling due to the awslogs.log file. These servers host a bunch of small websites, each vhost writes its own log, but now all the sites are spamming hundreds of warnings per minute with a warning such as;

2023-04-12 16:02:24,806 - cwlogs.push.reader - WARNING - 1266967 - Thread-4 - Fall back to current time: {'timestamp': 1681329744806, 'start_position': 1149160L, 'end_position': 1149310L}, reason: timestamp could not be parsed from message.

I commented all the sites in the config, so it is just the syslog (not doing it) and just one site and it starts right back. The odd thing is I am getting real data to cloudwatch, so it's a spam of warnings, then a success like this;

2023-04-12 16:02:18,931 - cwlogs.push.publisher - INFO - 1266967 - Thread-3 - Log group: websites, log stream: secure-website.access, queue size: 0, Publish batch: {'skipped_events_count': 0, 'first_event': {'timestamp': 1681329733796, 'start_position': 1148714L, 'end_position': 1148865L}, 'fallback_events_count': 1, 'last_event': {'timestamp': 1681329733796, 'start_position': 1148714L, 'end_position': 1148865L}, 'source_id': 'e15231b897d06bbd6ca96b06bb81994e', 'num_of_events': 1, 'batch_size_in_bytes': 176}

Then more spamming. I am running the CloudWatch agent - 1.247358.0b252413, AWS CLI is aws-cli/2.11.11.

Apache Vhost logging looks like this; LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined LogFormat "%{X-Forwarded-For}i %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" proxy SetEnvIf X-Forwarded-For "^......." forwarded CustomLog "/var/log/apache2/secure.website.com-access.log" combined env=!forwarded CustomLog "/var/log/apache2/secure.website.com-access.log" proxy env=forwarded

And the AWS conf for this looks like; [/var/log/apache2/secure.website-access.log] datetime_format = %b %d %H:%M:%S file = /var/log/apache2/secure.website.com-access.log buffer_duration = 5000 log_stream_name = secure-website.access initial_position = start_of_file log_group_name = websites

Any help or suggestions is appreciated.

Topics

Management & Governance

Relevant content

UPSTREAM_NOT_FOUND [519] and Ubuntu 20.04.5 LTS
rePost-User-7234571
asked a year ago
We have multiple sql server databases on premises and those are setup as clusters, now we have decided to migrate same in RDS, ow how to migrate clusters
rePost-User-0916324
asked 2 years ago
I recently have created an instance and not SSH shows an error after update
Accepted Answer
seoisart
asked 10 months ago
Why snapshot file are 0 bytes. Files exist when mounted but take up no space on disk and have no content.
AWS-User-6294425
asked 2 years ago
How can I install CloudFormation helper scripts on Ubuntu 16.04 LTS/Ubuntu 18.04 LTS/Ubuntu 20.04 LTS/Ubuntu 22.04 LTS or RHEL 9 AMIs?
AWS OFFICIALUpdated a year ago
What are the common issues on the recent TFN registration process for sending SMS messages to US-based numbers using Amazon Simple Notification Service (Amazon SNS)?
AWS OFFICIALUpdated 10 months ago
Why is the core node in my Amazon EMR cluster running out of disk space?
AWS OFFICIALUpdated a year ago
What are SWAP files and why are they consuming space on my AWS DMS instance?
AWS OFFICIALUpdated 2 years ago
Announcing new AWS Console Home widgets for recent AWS blog posts and launch announcements
EXPERT
RickSuttles
published 2 years ago
Amazon GameLift releases a new version of the server SDKs and game engine plugins
EXPERT
Sachin
published 3 months ago