Hi, Thanks very much for your help. Version is 2.1.4, Sorry for the mistake. Actually, log_msg_size is not present in the configuration file, so I guess it defaults to 8192 bytes, after reading documentation, though I don't know if that figure applies to that version too. Nevertheless, the long logs are no more than 5Kbyte, they are Windows events. I'll try setting log_msg_size to some value higher than my longest logs and will try to upgrade syslog-ng. Meanwhile your comments would be much appreciated. Thanks very much again and kind regards. José Moreno El 06/03/2012, a las 11:42, Sandor Geller <Sandor.Geller@morganstanley.com> escribió:
Hi,
There is no syslog-ng 2.4.1 version, the last 2.x version was 2.1.4 which is pretty much obsolete. Anyway, syslog-ng and any syslog daemon in general isn't a transport mechanism for arbitrary content so some limitations are in place. You're using spoofing which means UDP. The 64k size limitation of a single UDP datagram is definitely a limiting factor. What is log_msg_size in your config? How long are the lines in the logfiles which end up splitted into multiple messages on the other end?
Regards,
Sandor
2012/3/2 José Moreno <jmorenoa@gmail.com>:
Sorry, my previous message went out unfinished and I see I've placed it as an answer to someone else's question.
I just wanted to add that I was posting because I had not seen this issue in the list; Sorry if I'm wrong.
Thanks very much in advance. Kind regards.
Enviado desde mi iPhone
El 02/03/2012, a las 14:40, José Moreno <jmorenoa@gmail.com> escribió:
Hi all,
I'm running syslog-ng 2.4.1, log sources send to a log server which beside keeping the original data as is in files, forwards them in real time to a SIEM, spoofing source IP.
My problem comes after some logs are too long to fit in a single frame, log server fragments those packets when sending them to SIEM and spoofing is not performed for them.
Enviado desde mi iPhone
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq