[syslog-ng] syslog 1024 byte limit work around
sandor.geller at ericsson.com
Wed May 31 15:30:36 UTC 2017
Could happen however the default of log_msg_size() was 8192 for a decade
and it has been raised to 64k recently so maybe multiline logs are
The OP should provide more details.
On 05/31/2017 04:57 PM, Evan Rempel wrote:
> This might be resolved by setting the syslog-ng configuration option
> of log_msg_size to a larger value. We use
> On 05/31/2017 05:32 AM, Corey Davelaar wrote:
>> I'm new to the group and hopefully it's not a repeat question. I was
>> guided to this mailing list by a balabit tech support rep.
>> We use splunk on the back end of syslog-ng and we have some syslog
>> sources that utilize very long syslog messages, that end up being
>> over 1024 bytes. We switched from udp to tcp as the transport and
>> now we are seeing the tail end of the syslog messages, but splunk
>> gets confused by the inputs and treats each line as a separate syslog
>> message and completely unrelated to the previous one, because that�s
>> how syslog-ng is treating it.
>> I was wondering if there is a way to tell syslog-ng that if a new
>> packet doesn�t start with a standard syslog timestamp to treat it as
>> a continuation of the previous message or somehow combine it with a
>> previous message, utilizing a buffer type of setting.
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the syslog-ng