NG 6.0.9 UDP Forwarding & Spoof Source
Hello, I'm using NG to forward via UDP to QRadar platform. We've noticed that long messages get truncated to 1024 bytes. I thought it was because of forwarding using RFC3164 which has a limit of 1024 but forwarding using RFC5424 does not have a message limit. In the manual though for the spoof-source option there's this warning: When using the spoof-source option, syslog-ng PE automatically truncates long messages to 1024 bytes, regardless of the settings of log-msg-size(). Does this mean no matter what, the max UDP forwarded message spoofing the source is 1024 bytes regardless of RFC? Thanks! Regards, Mark Schoonover - KA6WKE Infrastructure Engineering Manager ENE : Tools, Instrumentation and Common Services Team Office: 32.8697° N, 116.9711° W Phone : 770-261-7934 Email : mark.schoonover@cigna.com<mailto:mark.schoonover@cigna.com> HPSM Team: ENE NMS Engineering Confidential, unpublished property of Cigna. Do not duplicate or distribute. Use and distribution limited solely to authorized personnel. © Copyright 2018 Cigna. ------------------------------------------------------------------------------ CONFIDENTIALITY NOTICE: If you have received this email in error, please immediately notify the sender by e-mail at the address shown. This email transmission may contain confidential information. This information is intended only for the use of the individual(s) or entity to whom it is intended even if addressed incorrectly. Please delete it from your files if you are not the intended recipient. Thank you for your compliance. Copyright (c) 2018 Cigna ==============================================================================
Dear Mark, Judging from the version number, you seem to be using Syslog-ng Premium Edition. In case you have an active support contract, then I would recommend you to contact BalaBit at https://support.balabit.com and open a new ticket about this. Thank you! Kind regards, János Szigetvári -- Janos SZIGETVARI RHCE, License no. 150-053-692 <https://www.redhat.com/rhtapps/verify/?certId=150-053-692> __@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp 2018-04-10 19:34 GMT+02:00 Schoonover, Mark E HHHH < Mark.Schoonover@cigna.com>:
Hello,
I’m using NG to forward via UDP to QRadar platform. We’ve noticed that long messages get truncated to 1024 bytes. I thought it was because of forwarding using RFC3164 which has a limit of 1024 but forwarding using RFC5424 does not have a message limit. In the manual though for the spoof-source option there’s this warning:
When using the spoof-source option, syslog-ng PE automatically truncates long messages to 1024 bytes, regardless
of the settings of log-msg-size().
Does this mean no matter what, the max UDP forwarded message spoofing the source is 1024 bytes regardless of RFC?
Thanks!
Regards,
Mark Schoonover – KA6WKE
Infrastructure Engineering Manager
ENE : Tools, Instrumentation and Common Services Team
Office: 32.8697° N, 116.9711° W
Phone : 770-261-7934
Email : mark.schoonover@cigna.com
*HPSM Team: ENE NMS Engineering*
*Confidential, unpublished property of Cigna. Do not duplicate or distribute. Use and distribution limited solely to authorized personnel. © Copyright 2018 Cigna.*
------------------------------------------------------------ ------------------ CONFIDENTIALITY NOTICE: If you have received this email in error, please immediately notify the sender by e-mail at the address shown. This email transmission may contain confidential information. This information is intended only for the use of the individual(s) or entity to whom it is intended even if addressed incorrectly. Please delete it from your files if you are not the intended recipient. Thank you for your compliance. Copyright (c) 2018 Cigna ============================================================ ==================
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Schoonover, Mark E HHHH
-
SZIGETVÁRI János