[syslog-ng] NG 6.0.9 UDP Forwarding & Spoof Source

Schoonover, Mark E HHHH Mark.Schoonover at Cigna.com
Tue Apr 10 17:34:19 UTC 2018


I'm using NG to forward via UDP to QRadar platform. We've noticed that long messages get truncated to 1024 bytes. I thought it was because of forwarding using RFC3164 which has a limit of 1024 but forwarding using RFC5424 does not have a message limit. In the manual though for the spoof-source option there's this warning:

When using the spoof-source option, syslog-ng PE automatically truncates long messages to 1024 bytes, regardless
of the settings of log-msg-size().

Does this mean no matter what, the max UDP forwarded message spoofing the source is 1024 bytes regardless of RFC?



Mark Schoonover - KA6WKE
Infrastructure Engineering Manager
ENE   : Tools, Instrumentation and Common Services Team
Office: 32.8697° N, 116.9711° W
Phone : 770-261-7934
Email : mark.schoonover at cigna.com<mailto:mark.schoonover at cigna.com>
HPSM Team: ENE NMS Engineering

Confidential, unpublished property of Cigna. Do not duplicate or distribute. Use and distribution limited solely to authorized personnel. © Copyright 2018 Cigna.

CONFIDENTIALITY NOTICE: If you have received this email in error,
please immediately notify the sender by e-mail at the address shown. 
This email transmission may contain confidential information.  This
information is intended only for the use of the individual(s) or entity to
whom it is intended even if addressed incorrectly.  Please delete it from
your files if you are not the intended recipient.  Thank you for your
compliance.  Copyright (c) 2018 Cigna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180410/1530b822/attachment.html>

More information about the syslog-ng mailing list