Hi, There is no syslog-ng 2.4.1 version, the last 2.x version was 2.1.4 which is pretty much obsolete. Anyway, syslog-ng and any syslog daemon in general isn't a transport mechanism for arbitrary content so some limitations are in place. You're using spoofing which means UDP. The 64k size limitation of a single UDP datagram is definitely a limiting factor. What is log_msg_size in your config? How long are the lines in the logfiles which end up splitted into multiple messages on the other end? Regards, Sandor 2012/3/2 José Moreno <jmorenoa@gmail.com>:
Sorry, my previous message went out unfinished and I see I've placed it as an answer to someone else's question.
I just wanted to add that I was posting because I had not seen this issue in the list; Sorry if I'm wrong.
Thanks very much in advance. Kind regards.
Enviado desde mi iPhone
El 02/03/2012, a las 14:40, José Moreno <jmorenoa@gmail.com> escribió:
Hi all,
I'm running syslog-ng 2.4.1, log sources send to a log server which beside keeping the original data as is in files, forwards them in real time to a SIEM, spoofing source IP.
My problem comes after some logs are too long to fit in a single frame, log server fragments those packets when sending them to SIEM and spoofing is not performed for them.
Enviado desde mi iPhone
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq