HSL logging sending multiple log entries in one message?
I have an iRule that generates Apache style "combined" format access logs for one of our sites. it is based on the iRule for "W3c logging".
Our LTMs run 10.x so HSL is an option. These logs are destined to be used for fraud detection systems, so I have to use TCP.
I have one syslog server in the syslog pool and it should be able to handle the traffic.
The irule is attached as is an example (sanitised) access log captured on the syslog server.
The syslog server takes the entire message received and dumps it raw as a single log entry into a log file that rolls hourly.
Most of the time it seems to be that one request = one log entry, however occasionally I see a single log entry as being made up of two distinct http_requests
Its almost as if the events have been concatenated together before being sent. logic tells me this can't happen since the iRule only fires once per request, so by virtue of that alone one request should equal one log entry.
Has anyone else come across this before? I want to rule out the LTMs before I look deeper at the syslog server.