[syslog-ng]Filtering Large Syslog Messages
Nate Campi
nate@campin.net
Wed, 29 Jan 2003 14:10:04 -0800
On Wed, Jan 29, 2003 at 02:19:26PM -0500, Brian E. Seppanen wrote:
>
> Unfortunately a number of traps are getting cut off at a specific
> point, and the remainder of the trap ends up in syslog and not in the
> proper destination.
<snip>
> All of the message would be coming in via local1 so it's not that a
> pattern match is failing..
It's that the message is broken into two, and since syslog messages have
the priority (facility/severity) info at the start of the message, the
second half has no priority info at all.
To conform to rfc3164 a syslog daemon has to prepend the "unknown"
priority to a message that doesn't have one (13 or user.info). I'm sure
this is what syslog-ng does, though I'm too lazy to look and see.
Anyways, the point is that you need syslog-ng to *not* break up your
large messages. 1024 bytes is the default.
A google search turns up proof of my theory:
<URL:http://lists.balabit.hu/pipermail/syslog-ng/2002-April/003169.html>
...and another search finds that syslog-ng has an option to address your
need:
<URL:http://citadelle.intrinsec.com/mailing/current/HTML/ml_syslogng/0697.html>
Up your max message size with log_msg_size().
--
Nate Campi http://www.campin.net
"To promise not to do a thing is the surest way in the world to make a
body want to go and do that very thing." - Samuel Clemens