On Fri, 2008-02-08 at 14:11 -0500, Guy Fleegman wrote:
Hello: We have a system that sends messages to syslog-ng (Latest version 2.0.8..but this has occurred on all 2.x versions so far)
This is what is happening.... An application has a message that us too long for syslog.. .so it breaks the message into 2 separate syslog messages. The first one is a length seen in wireshark of 1066 bytes.
The second packet is either 69 or 70 bytes and it it simply the leftover characters 0/n/n
The problem is that the filter in my syslog-ng.conf file is not catching the second smaller messages Instead of going to the file i direct it to. It goes to the default file (which i do not want)
What is causing this packet to not be processed by my filter? Attached is a copy of the relevant syslog-ng.conf data as well as the actual wireshark trace information
Please advise and thanks ! -Chris
Have you played with the log_msg_size() option?