[syslog-ng]Filtering Large Syslog Messages
Andreas Schulze
Andreas.Schulze@mediaWays.NET
Mon, 03 Feb 2003 17:04:21 +0100
Balazs Scheidler wrote:
> On Wed, Jan 29, 2003 at 02:19:26PM -0500, Brian E. Seppanen wrote:
>
>>I have snmptrapd running so that any trap that it receives should be
>>logged to local1. I have a filter taking anything received via local1
>>to a specific file
>>
>>Unfortunately a number of traps are getting cut off at a specific
>>point, and the remainder of the trap ends up in syslog and not in the
>>proper destination.
We are running snmptrapd and syslog-ng 1.5.x under Solaris 8 and
observed exactly the same problem.
> syslog defaults to 1024 byte long messages, but this value is tunable in
> syslog-ng 1.5 where you can set it to a higher value.
>
> options { log_msg_size(8192); };
This doesn't fix the problem for us.
It seems that there is a problem in the syslog(3) implementation
at least on Solaris. Maybe on Linux, too.
This is important, because snmptrapd feeds its messages via syslog(3)
to syslog-ng. So syslog-ng never gets the correct message, because
its truncated in libc before syslog-ng receive it.
Our solution was, to patch snmptrapd to log its messages via a local
Unix DGRAM socket and use this socket as message source for syslog-ng.
This fix the problem and works pretty fine and very stable for more than
one year in our environment.
--
Best regards --Andreas Schulze
[phone: +49.5246.80.1275, fax: +49.5246.80.2275]
| I believe, it was Dennis Ritchie who said something like:
| "C is rarely the best language for a given task,
| but it's often the second-best".
| The implication being that: "[...]"
| http://www.ioccc.org/1990/dds.c