[syslog-ng] syslog 1024 byte limit work around

Sandor Geller sandor.geller at ericsson.com
Wed May 31 15:30:36 UTC 2017


Could happen however the default of log_msg_size() was 8192 for a decade 
and it has been raised to 64k recently so maybe multiline logs are 
involved too.

The OP should provide more details.



On 05/31/2017 04:57 PM, Evan Rempel wrote:
> This might be resolved by setting the syslog-ng configuration option 
> of log_msg_size to a larger value. We use
> log_msg_size(32768);
> Evan.
> On 05/31/2017 05:32 AM, Corey Davelaar wrote:
>> Hello,
>> I'm new to the group and hopefully it's not a repeat question.  I was 
>> guided to this mailing list by a balabit tech support rep.
>> We use splunk on the back end of syslog-ng and we have some syslog 
>> sources that utilize very long syslog messages, that end up being 
>> over 1024 bytes.  We switched from udp to tcp as the transport and 
>> now we are seeing the tail end of the syslog messages, but splunk 
>> gets confused by the inputs and treats each line as a separate syslog 
>> message and completely unrelated to the previous one, because that�s 
>> how syslog-ng is treating it.
>> I was wondering if there is a way to tell syslog-ng that if a new 
>> packet doesn�t start with a standard syslog timestamp to treat it as 
>> a continuation of the previous message or somehow combine it with a 
>> previous message, utilizing a buffer type of setting.
>> Thanks,
>> Corey
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170531/1188b0a7/attachment.html>

More information about the syslog-ng mailing list