mrdavidlaing
commented
10 years ago resolves #316
Closed mrdavidlaing closed 10 years ago
mrdavidlaing
commented
10 years ago resolves #316
dpb587
commented
10 years ago Nice changes here.
I think it's important to mention that this multiline fix may not work 100% of the time because it assumes a single logstash parser and serial parsing of the queue - an assumption that our scalable, parallel workers break. This can have the effect of a multiline message being incomplete (if node A receives lines 1 - 5 and node B receives 6 - 8), but it could also have the effect of two unrelated multiline messages being combined (if node A receives message 1 lines 1 - 5, node B receives message 1 lines 6 - 8 and message 2 lines 1 - 3, node A receives message 2 lines 4 - 7).
mrdavidlaing
commented
10 years ago @dpb587 I don't think this will ever happen since the multi-line combining is happening before it hits the queue. Its also highly unlikely even when we have multiple lumberjack ingestors, since logstashforwarder only switches to the next ingestor on an TCP error (I think).
dpb587
commented
10 years ago Ooh, you're completely right; sorry. I forgot when this multiline stuff would be happening. Thanks for correcting me!
lumberjack/logstashforwarder doesn't support multiline messages; rather this must be handled at by the lumberjack ingestor