[syslog-ng] syslog 1024 byte limit work around

Evan Rempel erempel at uvic.ca
Wed May 31 14:57:28 UTC 2017


This might be resolved by setting the syslog-ng configuration option of log_msg_size to a larger value. We use

log_msg_size(32768);

Evan.

On 05/31/2017 05:32 AM, Corey Davelaar wrote:
>
> Hello,
>
>
> I'm new to the group and hopefully it's not a repeat question.  I was guided to this mailing list by a balabit tech support rep.
>
>
> We use splunk on the back end of syslog-ng and we have some syslog sources that utilize very long syslog messages, that end up being over 1024 bytes.  We switched from udp to tcp as the transport and now we are seeing the tail end of the syslog messages, but splunk gets confused by the inputs and treats each line as a separate syslog message and completely unrelated to the previous one, because that�s how syslog-ng is treating it.
>
> I was wondering if there is a way to tell syslog-ng that if a new packet doesn�t start with a standard syslog timestamp to treat it as a continuation of the previous message or somehow combine it with a previous message, utilizing a buffer type of setting.
>
> Thanks,
>
> Corey

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170531/9b81da0f/attachment.html>


More information about the syslog-ng mailing list