On Wed, Jan 29, 2003 at 02:19:26PM -0500, Brian E. Seppanen wrote:
Unfortunately a number of traps are getting cut off at a specific point, and the remainder of the trap ends up in syslog and not in the proper destination.
<snip>
All of the message would be coming in via local1 so it's not that a pattern match is failing..
It's that the message is broken into two, and since syslog messages have the priority (facility/severity) info at the start of the message, the second half has no priority info at all. To conform to rfc3164 a syslog daemon has to prepend the "unknown" priority to a message that doesn't have one (13 or user.info). I'm sure this is what syslog-ng does, though I'm too lazy to look and see. Anyways, the point is that you need syslog-ng to *not* break up your large messages. 1024 bytes is the default. A google search turns up proof of my theory: <URL:http://lists.balabit.hu/pipermail/syslog-ng/2002-April/003169.html> ...and another search finds that syslog-ng has an option to address your need: <URL:http://citadelle.intrinsec.com/mailing/current/HTML/ml_syslogng/0697.html> Up your max message size with log_msg_size(). -- Nate Campi http://www.campin.net "To promise not to do a thing is the surest way in the world to make a body want to go and do that very thing." - Samuel Clemens