[syslog-ng] Following a file to generate one syslog message per appended line
Jim Hendrick
jrhendri at maine.rr.com
Tue Jul 17 16:20:37 CEST 2012
hmmm - nothing obvious to me.
Questions that might help
- do you know what the message rate for that source is?
- is there anything possibly unusual about the messages themselves? (how
is end of line demarked? what are the maximum line lengths?)
I would personally try removing the flags (from source and log lines)
and one by one add them back - looking at the changes in behavior (if
any), then taking that one back out and adding the other.
Sorry I don't see anything obvious. Maybe someone else will see something.
Jim
On 07/17/2012 09:21 AM, Terry Burton wrote:
> Hi,
>
> I am looking to use syslog-ng to follow a file and create one syslog
> UDP message for each line that is appended to the file.
>
> So far I have the following, however this will put multiple lines into
> a single syslog message when they arrive together:
>
> source s_tail_snort { file("/srv/snort/snort.fast" flags(no-parse) ); };
> destination to_splunk { udp("143.210.16.141" port(1514) template("$MSG\n")); };
> log {source(s_tail_snort); destination(to_splunk); flags(flow-control); };
>
> I have tried adding log_fetch_limit(1) to the source and
> flush_lines(1) to the destination, but I still get multiple lines per
> syslog message:
>
> source s_tail_snort { file("/srv/snort/snort.fast" flags(no-parse)
> log_fetch_limit(1) ); };
> destination to_splunk { udp("143.210.16.141" port(1514)
> template("$MSG\n") flush_lines(1)); };
> log {source(s_tail_snort); destination(to_splunk); flags(flow-control); };
>
> Am I missing something simple?
>
>
> Thanks,
>
> Terry
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
More information about the syslog-ng
mailing list