On Tue, 2010-10-12 at 16:02 +0200, Fiorenzi Alessandro wrote:
Hi,
We have syslog-ng 3.05 as log server, and datagram syslog agent on windows system (originary ntsyslog)
form e windows 2003 server with syslogagent configure I have this event on eventviewer
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/12/2010
Time: 12:26:43 PM
User: DOMAINXXX\A.Fiorenzi
Computer: XXXXXX
Description:
User Logoff:
User Name: A.Fiorenzi
Domain: DOMAINXXX
Logon ID: (0x0,0xF78F137)
Logon Type: 10
and on syslog-ng server i get this:
Oct 12 12:26:43 XXXXXX security[success]: 538 DOMAINXXX\a.fiorenzi User Logoff User Name: A.Fiorenz Domain: DOMAINXX Logo
n ID: (0x0,0xF78F137 Logon Type: 1
where the descrition field has UserName, Domain, logon ID an Logon Type cutted.
I have record the network traffic via tcpdump and I have seen data arrive correctly.
So have set in syslog-ng.conf options the statementlog_msg_size(8192);
The problem is still open and I do not know how to solve, anyone can help me?
I'm not sure if you are using udp or tcp transport, but please note that if you are using UDP, then probably IP fragmentation happens in case your log message is more than 1492 octets. Can you include the original tcpdump as you have seen it on the wire? Do you include the whole message in your sample above? How long is the complete message as trasnferred on the wire? -- Bazsi