[syslog-ng]Long messages truncated in 1.5.x branch on Solaris 8

Balazs Scheidler bazsi@balabit.hu
Fri, 28 Jun 2002 14:05:43 +0200

On Fri, Jun 28, 2002 at 01:57:49PM +0200, Andreas Schulze wrote:
> Hello,
> we are observing a wondrous behavior on our central logservers.
> We have an local application, that logs to the destinations above.
> And all messages greater that approx. 975 Bytes are truncated.
> But the enigma is:
> If using the local Solaris 'logger' application, all messages greater
> than 509 Bytes are truncated.
> But they are truncated on different positions depends on the message
> size!
> (Say, if you log 600 Bytes, you get the first 509 and if you try to log
> 761,
> you get the first 26.) Hmm ?!

truss either syslog-ng or logger to see what it actually sends. log messages
might be garbled if they are around 1024 in size, since syslog-ng might also
modify it (with results in truncated messages again).

Imagine the following scenario:

- message to syslog-ng (with no host and date parts), 1024 bytes in size
- syslog-ng rewrites the messages, inserts host and date (internally these are
  stored in different variables where the 1024 limit is not appliced)
- syslog-ng formats the new message (according to the template given, or the
  usual syslog format) where the host and date parts of the message are
  inserted, the message now becomes more than 1024 bytes, thus the message
  is truncated

If syslog-ng reads a message which exceeds 1024, the remaining is read as an
independent message

PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1