[syslog-ng] Fwd: Re: Following a file to generate one syslog message per appended line
Terry Burton
tez at terryburton.co.uk
Wed Jul 18 12:09:46 CEST 2012
On 18 July 2012 10:24, Sandor Geller <Sandor.Geller at morganstanley.com> wrote:
> On Tue, Jul 17, 2012 at 8:54 PM, Terry Burton <terry.burton at gmail.com> wrote:
> < snip >
>>> > I am wondering whether the file source driver does not treat a lone LF
>>> > as a new line and therefore log_fetch_limit(1) is ineffective? I am
>>> > about to test this.
>>>
>>> it should treat one NL (aka LF, ASCII 10) as line terminator. what version
>>> of syslog-ng are you using?
>>
>> Version 3.1.3 on Debian Squeeze, 64 bit.
>
> What are you experiencing exactly? One outgoing UDP packet having
> multiple syslog messages or one syslog message having multiple lines
> concatenated?
Closer inspection of the network trace indicates that syslog-ng is in
fact doing the right thing when using log_fetch_limit(1), generating
one syslog UDP packet per input message. Apologies for the noise.
It is my concentrator (Splunk) that is concatenating messages received
within short time intervals into single events which made me believe
that log_fetch_limit(1) wasn't taking effect.
Thanks for the support,
Terry
More information about the syslog-ng
mailing list