[syslog-ng] Packet fragmentation issue

[Sandor Geller]

Hi,

There is no syslog-ng 2.4.1 version, the last 2.x version was 2.1.4
which is pretty much obsolete. Anyway, syslog-ng and any syslog daemon
in general isn't a transport mechanism for arbitrary content so some
limitations are in place. You're using spoofing which means UDP. The
64k size limitation of a single UDP datagram is definitely a limiting
factor. What is log_msg_size in your config? How long are the lines in
the logfiles which end up splitted into multiple messages on the other
end?

Regards,

Sandor

2012/3/2 José Moreno <jmorenoa at gmail.com>:
> Sorry, my previous message went out unfinished and I see I've placed it as an answer to someone else's question.
>
> I just wanted to add that I was posting because I had not seen this issue in the list; Sorry if I'm wrong.
>
> Thanks very much in advance.
> Kind regards.
>
> Enviado desde mi iPhone
>
> El 02/03/2012, a las 14:40, José Moreno <jmorenoa at gmail.com> escribió:
>
>> Hi all,
>>
>> I'm running syslog-ng 2.4.1, log sources send to a log server which beside keeping the original data as is in files, forwards them in real time to a SIEM, spoofing source IP.
>>
>> My problem comes after some logs are too long to fit in a single frame, log server fragments those packets when sending them to SIEM and spoofing is not performed for them.
>>
>> Enviado desde mi iPhone
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>