Thanks very much Bazsi, I'll check connection tracking and will let the list know about any progress. Kind regards. José Moreno El 18/03/2012, a las 13:15, Balazs Scheidler <bazsi@balabit.hu> escribió:
On Tue, 2012-03-06 at 11:42 +0100, Sandor Geller wrote:
Hi,
There is no syslog-ng 2.4.1 version, the last 2.x version was 2.1.4 which is pretty much obsolete. Anyway, syslog-ng and any syslog daemon in general isn't a transport mechanism for arbitrary content so some limitations are in place. You're using spoofing which means UDP. The 64k size limitation of a single UDP datagram is definitely a limiting factor. What is log_msg_size in your config? How long are the lines in the logfiles which end up splitted into multiple messages on the other end?
Yup, checking the code in question, it prepares a single UDP datagram, and sends it off fire-and-forget, without thinking a little bit about MTU settings.
I'm not sure how libnet/kernel processes these packets, it might simply truncate them or drop it altogether.
If the kernel chooses to refragment such packets (which might easily happen if you are using connection tracking on Linux, even if the core kernel doesn't do it), it should properly produce well correct IP addresses in the 2nd and subsequent fragments.
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq