On 18 July 2012 10:24, Sandor Geller <Sandor.Geller@morganstanley.com> wrote:
On Tue, Jul 17, 2012 at 8:54 PM, Terry Burton <terry.burton@gmail.com> wrote: < snip >
I am wondering whether the file source driver does not treat a lone LF as a new line and therefore log_fetch_limit(1) is ineffective? I am about to test this.
it should treat one NL (aka LF, ASCII 10) as line terminator. what version of syslog-ng are you using?
Version 3.1.3 on Debian Squeeze, 64 bit.
What are you experiencing exactly? One outgoing UDP packet having multiple syslog messages or one syslog message having multiple lines concatenated?
Closer inspection of the network trace indicates that syslog-ng is in fact doing the right thing when using log_fetch_limit(1), generating one syslog UDP packet per input message. Apologies for the noise. It is my concentrator (Splunk) that is concatenating messages received within short time intervals into single events which made me believe that log_fetch_limit(1) wasn't taking effect. Thanks for the support, Terry