[syslog-ng] syslog 1024 byte limit work around
Sandor Geller
sandor.geller at ericsson.com
Wed May 31 15:30:36 UTC 2017
Hi,
Could happen however the default of log_msg_size() was 8192 for a decade
and it has been raised to 64k recently so maybe multiline logs are
involved too.
The OP should provide more details.
Regards,
Sandor
On 05/31/2017 04:57 PM, Evan Rempel wrote:
> This might be resolved by setting the syslog-ng configuration option
> of log_msg_size to a larger value. We use
>
> log_msg_size(32768);
>
> Evan.
>
> On 05/31/2017 05:32 AM, Corey Davelaar wrote:
>>
>> Hello,
>>
>>
>> I'm new to the group and hopefully it's not a repeat question. I was
>> guided to this mailing list by a balabit tech support rep.
>>
>>
>> We use splunk on the back end of syslog-ng and we have some syslog
>> sources that utilize very long syslog messages, that end up being
>> over 1024 bytes. We switched from udp to tcp as the transport and
>> now we are seeing the tail end of the syslog messages, but splunk
>> gets confused by the inputs and treats each line as a separate syslog
>> message and completely unrelated to the previous one, because that�s
>> how syslog-ng is treating it.
>>
>> I was wondering if there is a way to tell syslog-ng that if a new
>> packet doesn�t start with a standard syslog timestamp to treat it as
>> a continuation of the previous message or somehow combine it with a
>> previous message, utilizing a buffer type of setting.
>>
>> Thanks,
>>
>> Corey
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170531/1188b0a7/attachment.html>
More information about the syslog-ng
mailing list