<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">This might be resolved by setting the
syslog-ng configuration option of log_msg_size to a larger value.
We use<br>
<br>
log_msg_size(32768);<br>
<br>
Evan.<br>
<br>
On 05/31/2017 05:32 AM, Corey Davelaar wrote:<br>
</div>
<blockquote type="cite"
cite="mid:MWHPR2201MB1293EC95C8599C7678E4D442A6F10@MWHPR2201MB1293.namprd22.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;"
dir="ltr">
<p>Hello,</p>
<p><br>
</p>
<p>I'm new to the group and hopefully it's not a repeat
question. I was guided to this mailing list by a balabit tech
support rep.</p>
<p><br>
</p>
<div>We use splunk on the back end of syslog-ng and we have some
syslog sources that utilize very long syslog messages, that
end up being over 1024 bytes. We switched from udp to tcp as
the transport and now we are seeing the tail end of the syslog
messages, but splunk gets confused by the inputs and treats
each line as a separate syslog message and completely
unrelated to the previous one, because that�s how syslog-ng is
treating it.<br>
<br>
I was wondering if there is a way to tell syslog-ng that if a
new packet doesn�t start with a standard syslog timestamp to
treat it as a continuation of the previous message or somehow
combine it with a previous message, utilizing a buffer type of
setting.<br>
<br>
Thanks,<br>
<br>
Corey<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>