I have a setup running Splunk 6.4 indexing FireEye logs.
FireEye is sending logs in CEF SYSLOG format through port 514, and i have rsyslog receiving these data and writing them to flat file. Splunk will be monitoring the flat file and index them in.
However i notice that sometimes one event consist of 2 or more events. So I tried copying in 3 lines of event for testing and realise logs are not line broken. Is there something wrong with the TA? I cant get it to read line by line even with SHOULD_LINEMERGE=false