Here is a sample, first some nice ones Jul 25 13:43:04 144.49.126.22/144.49.126.22 GET Jul 25 13:43:07 144.49.126.22/144.49.126.22 HELLO Jul 25 13:43:13 144.49.126.22/144.49.126.22 quit then Aug 20 09:59:13 tcpgateway@thishost syslog-ng[12107]: Message length overflow, line is split, log_msg_size=8192 Aug 20 10:27:53 router01/router01 ernet1/0<191>11463: Aug 20 10:25:52.617 EDT: OSPF: rcv. v:2 t:1 l:48 rid:144.63.255.232<191>11464: aid:144.1.0.0 chk:0 aut:2 keyid:1 seq:0xC64274 from FastEthernet1/0<191>11465: Aug 20 10:26:02.617 EDT: OSPF: rcv. v:2 t:1 l:48 rid:144.63.255.232<191>11466: aid: 144.1.0.0 chk:0 aut:2 keyid:1 seq:0xC64276 from FastEthernet1/0<191>11467: Aug 20 10:26:12.625 EDT: OSPF: rcv. v:2 t:1 l:48 rid:144.63.255.232<191>11468: aid:144.1.0.0 chk:0 aut:2 keyid:1 seq:0xC64278 from FastEthernet1/0<191>11469: Aug 20 10:26:22.625 EDT: OSPF: rcv. v:2 t:1 l:48 rid:144.63.255.232<191>11470: aid:14.1.0.0 chk:0 aut:2 keyid:1 seq:0xC6427A from and continues on for a very long time on one line and then cuts off. There doesn't seem to be a field sep that I can tell in the file. I will try a tcpdump also. Thanks On 8/22/07, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Mon, 2007-08-20 at 17:12 -0400, Blurry wrote:
When a certain cisco router is set to UPD syslog delivery it creates a unique message for each unique message, duh ! But when this same router is set to TCP syslog, it takes all messages and tacks them back to back until syslog-ng runs out of buffer space in one line. I kept increasing the message log size, but the real problem is that the messages would have to be parsed out of this massive long line. My router guy says he can't make the cisco router behave any differently. How do I handle this problem ? Ideas ?
Is there any kind of line separator? Can you post a tcpdump or something similar that shows what is sent by the router?
Thanks.
-- Bazsi
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html