<div dir="ltr"><div>Are you absolutely sure, that syslog-ng is reading the config file where you set log-msg-size() to 8192? Maybe you should try to generate a syntax error on purpose and see if it fails to start up. Sometimes people have multiple configs on their system.<br><br></div><div>Or just supply the -f option to syslog-ng that tells syslog-ng where to find its configuration explicitly.<br></div><div><br></div>You can also set log-msg-size() on a per source basis, if I remember correctly.<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">-- <br>Bazsi<br></div></div></div>
<br><div class="gmail_quote">On Mon, Jun 27, 2016 at 12:26 PM, Hirose, Shinsaku <span dir="ltr"><<a href="mailto:hirose.shinsaku@jp.fujitsu.com" target="_blank">hirose.shinsaku@jp.fujitsu.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dear Scheidler<br>
<br>
Thanks for your response!<br>
<br>
I tried debug mode.<br>
<br>
I saw that client received two "Incoming message".<br>
As you said, the client is looked like being the culprit.<br>
<br>
I think my hope is difficult for my skill.....<br>
So I will try to find the another solutoion.<br>
<br>
I am graceful for your advices!<br>
<br>
Best regards,<br>
<span class="im HOEnZb"><br>
<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a> [mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a>] On Behalf Of Scheidler, Balazs<br>
Sent: Saturday, June 25, 2016 5:06 AM<br>
To: Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>><br>
Subject: Re: [syslog-ng] a log message is output in the two line<br>
<br>
</span><span class="im HOEnZb">For some reason the log-msg-size() setting wasn't effective. Clearly syslog-ng split the line at 8192 bytes. It could either be the client or the server, but I would vote for the client being the culprit.<br>
<br>
syslog-ng emits a debug message that starts like: "Incoming message", there you should see what was received as a single entry. My guess is that you'll see the line split there.<br>
<br>
This way you can pinpoint which one is the culprit (the client or the server).<br>
<br>
</span><div class="HOEnZb"><div class="h5">On Jun 24, 2016 11:41 AM, "Hirose, Shinsaku" <<a href="mailto:hirose.shinsaku@jp.fujitsu.com">hirose.shinsaku@jp.fujitsu.com</a> <mailto:<a href="mailto:hirose.shinsaku@jp.fujitsu.com">hirose.shinsaku@jp.fujitsu.com</a>> > wrote:<br>
<br>
<br>
Dear Sandor<br>
<br>
Thank you for your quick responce.<br>
<br>
> UDP transport limits datagram size to 64k<br>
<br>
OK. Thanks!<br>
<br>
I raised log_msg_size to higer value.<br>
But the behavior did not changed.<br>
<br>
I added ' log_msg_size (16384);' in options on the two hosts.<br>
------------------------------------------------------------<br>
options {<br>
flush_lines (0);<br>
time_reopen (10);<br>
log_fifo_size (1000);<br>
long_hostnames (off);<br>
use_dns (no);<br>
use_fqdn (no);<br>
create_dirs (no);<br>
keep_hostname (yes);<br>
log_msg_size (16384);<br>
};<br>
------------------------------------------------------------<br>
<br>
And I did restarting service.<br>
But the behavior did not changed.<br>
<br>
Do you know this reason?<br>
<br>
Best regards,<br>
<br>
<br>
<br>
<br>
-----Original Message-----<br>
</div></div><span class="im HOEnZb"> From: <a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a> <mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a>> [mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a> <mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a>> ] On Behalf Of Sandor Geller<br>
Sent: Friday, June 24, 2016 11:32 PM<br>
</span><div class="HOEnZb"><div class="h5"> To: <a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a> <mailto:<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>><br>
Subject: Re: [syslog-ng] a log message is output in the two line<br>
<br>
Hi,<br>
<br>
On 06/24/2016 04:10 PM, Hirose, Shinsaku wrote:<br>
> Hello, all,<br>
><br>
> I use syslog-ng-3.2.5-4.el6.x86_64 on Centos6.<br>
> I got it from eple epel repository.<br>
><br>
> I am troubled in how to use the source file driver.<br>
> The touble is that a log message is output in the two lines on remote syslog server.<br>
><br>
> How to reproduce is followings.<br>
><br>
> 1. Prepare two hosts running syslog-ng.<br>
><br>
> Host_A configuration is followings.<br>
> ----------------------------------------<br>
> source test {<br>
> file("/tmp/a.log");<br>
> };<br>
> destination d_remote { udp("192.168.0.2"); };<br>
> log { source(test); destination(d_remote); };<br>
> ----------------------------------------<br>
<br>
UDP transport limits datagram size to 64k<br>
<br>
> Host_B(192.168.0.2) configuration is defaults.<br>
><br>
> 2.Execute following command on Host_A.<br>
><br>
> $ seq 8193 | (xargs -i echo -n "a";echo "") >> /tmp/a.log<br>
><br>
> 3.Check the log on Host_B.<br>
><br>
> As the result, a log message is output in the two lines on Host_B.<br>
><br>
> One line is following. The num of "a" is 8192.<br>
> aaaaaaaaaaaaa.......<br>
><br>
> The other line is following. The num of "a" is 1.<br>
> a<br>
><br>
> I hope a log message is output in the one line on Host_B.<br>
> Is my hope readily achievable?<br>
<br>
<br>
syslog isn't rsync so the syslog standards must get taken into account.<br>
Original syslog was designed to work with single-line, small messages (up to 1k) fitting into a single UDP packet to avoid fragmentating the datagram.<br>
<br>
IIRC the maximal message size in syslog-ng defaults to 8192 bytes, so from stream-like sources input will be splitted when this length is reached.<br>
<br>
> Please advise me.<br>
<br>
You can raise log_msg_size to higer value but don't expect that values larger than 64k will work with the udp() transport. You should switch to another transport driver like tcp() or even better to syslog()<br>
<br>
Regards,<br>
<br>
Sandor<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br></div>