hmmm - nothing obvious to me. Questions that might help - do you know what the message rate for that source is? - is there anything possibly unusual about the messages themselves? (how is end of line demarked? what are the maximum line lengths?) I would personally try removing the flags (from source and log lines) and one by one add them back - looking at the changes in behavior (if any), then taking that one back out and adding the other. Sorry I don't see anything obvious. Maybe someone else will see something. Jim On 07/17/2012 09:21 AM, Terry Burton wrote:
Hi,
I am looking to use syslog-ng to follow a file and create one syslog UDP message for each line that is appended to the file.
So far I have the following, however this will put multiple lines into a single syslog message when they arrive together:
source s_tail_snort { file("/srv/snort/snort.fast" flags(no-parse) ); }; destination to_splunk { udp("143.210.16.141" port(1514) template("$MSG\n")); }; log {source(s_tail_snort); destination(to_splunk); flags(flow-control); };
I have tried adding log_fetch_limit(1) to the source and flush_lines(1) to the destination, but I still get multiple lines per syslog message:
source s_tail_snort { file("/srv/snort/snort.fast" flags(no-parse) log_fetch_limit(1) ); }; destination to_splunk { udp("143.210.16.141" port(1514) template("$MSG\n") flush_lines(1)); }; log {source(s_tail_snort); destination(to_splunk); flags(flow-control); };
Am I missing something simple?
Thanks,
Terry ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq