[syslog-ng]Filtering Large Syslog Messages

Andreas Schulze Andreas.Schulze@mediaWays.NET
Mon, 03 Feb 2003 17:04:21 +0100

Balazs Scheidler wrote:
> On Wed, Jan 29, 2003 at 02:19:26PM -0500, Brian E. Seppanen wrote:
>>I have snmptrapd running so that any trap that it receives should be 
>>logged to local1.   I have  a filter taking anything received via local1 
>>to a specific file
>>Unfortunately a number of traps are getting cut off at a specific 
>>point, and the remainder of the trap ends up in syslog and not in the 
>>proper destination.

We are running snmptrapd and syslog-ng 1.5.x under Solaris 8 and
observed exactly the same problem.

> syslog defaults to 1024 byte long messages, but this value is tunable in
> syslog-ng 1.5 where you can set it to a higher value.
> options { log_msg_size(8192); };

This doesn't fix the problem for us.
It seems that there is a problem in the syslog(3) implementation
at least on Solaris. Maybe on Linux, too.
This is important, because snmptrapd feeds its messages via syslog(3)
to syslog-ng. So syslog-ng never gets the correct message, because
its truncated in libc before syslog-ng receive it.

Our solution was, to patch snmptrapd to log its messages via a local
Unix DGRAM socket and use this socket as message source for syslog-ng.
This fix the problem and works pretty fine and very stable for more than
one year in our environment.

Best regards --Andreas Schulze
                [phone: +49.5246.80.1275, fax: +49.5246.80.2275]

| I believe, it was Dennis Ritchie who said something like:
|   "C is rarely the best language for a given task,
|    but it's often the second-best".
| The implication being that: "[...]"
|     http://www.ioccc.org/1990/dds.c