[syslog-ng] Packet fragmentation issue
Jose Moreno
jmorenoa at gmail.com
Sun Mar 18 13:48:44 CET 2012
Thanks very much Bazsi,
I'll check connection tracking and will let the list know about any progress.
Kind regards.
José Moreno
El 18/03/2012, a las 13:15, Balazs Scheidler <bazsi at balabit.hu> escribió:
> On Tue, 2012-03-06 at 11:42 +0100, Sandor Geller wrote:
>> Hi,
>>
>> There is no syslog-ng 2.4.1 version, the last 2.x version was 2.1.4
>> which is pretty much obsolete. Anyway, syslog-ng and any syslog daemon
>> in general isn't a transport mechanism for arbitrary content so some
>> limitations are in place. You're using spoofing which means UDP. The
>> 64k size limitation of a single UDP datagram is definitely a limiting
>> factor. What is log_msg_size in your config? How long are the lines in
>> the logfiles which end up splitted into multiple messages on the other
>> end?
>
> Yup, checking the code in question, it prepares a single UDP datagram,
> and sends it off fire-and-forget, without thinking a little bit about
> MTU settings.
>
> I'm not sure how libnet/kernel processes these packets, it might simply
> truncate them or drop it altogether.
>
> If the kernel chooses to refragment such packets (which might easily
> happen if you are using connection tracking on Linux, even if the core
> kernel doesn't do it), it should properly produce well correct IP
> addresses in the 2nd and subsequent fragments.
>
> --
> Bazsi
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
More information about the syslog-ng
mailing list