Find the answer to your Linux question:
Results 1 to 6 of 6
Hello, I am running Debian Squeeze 6.0.5. Currently The Debian server is set up as a central syslog server receiving syslog messages from other Linux (fedora, debian, RHEL, CentOS, etc.) ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2012
    Posts
    5

    Long Syslog messages getting dropped


    Hello,

    I am running Debian Squeeze 6.0.5.

    Currently The Debian server is set up as a central syslog server receiving syslog messages from other Linux (fedora, debian, RHEL, CentOS, etc.) and from some Windows Servers.

    The syslog messages from the Windows Servers are being sent via Snare.

    We have recently noticed that the longer messages from the Windows Events are not being received in syslog. Any events that seem to be a certain length are just dropped and never reported.

    If I configure Snare to send these messages to our CentOS 5.1 server, the messages are received, but they are cut off at a certain length (but contains the vital info). I can just have my central syslog server be the CentOS server, but this isn't ideal, as i have many servers already pointing to the Debian one.

    Is there anything I can do on the Debian syslog server to ensure that these messages are received, or even cut off like the ones in CentOS?

  2. #2
    Linux Newbie
    Join Date
    Jun 2012
    Location
    SF Bay area
    Posts
    195
    I haven't had to mess with syslog in a long time, meaning I haven't setup anything but local syslog, but this article suggests there's a hard limit coded into "syslogd".

    BSDpants: Truncated syslog messages

    But since their solution is to edit the source and recompile, I'd suggest looking into using "syslog-ng" instead. If you're going to mess with your server you might as well install a more flexible syslog server. And if your Debian system is already running syslog-ng, then other articles say that the maximum message size is just a configuration option. So no source code twiddling and recompiling will be necessary.

  3. #3
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,410
    Afaik, this issue is independend of the syslog server implementation.
    512bytes is hardcoded because each line is sent via ONE udp packet.
    See RFC791
    All hosts must be prepared
    to accept datagrams of up to 576 octets (whether they arrive whole
    or in fragments). It is recommended that hosts only send datagrams
    larger than 576 octets if they have assurance that the destination
    is prepared to accept the larger datagrams.
    We had a similar problem and recompiled rsyslog with 1024bytes as this should still fit in one packet.
    I wouldnt go beyond, unless you have jumbo frames configured working with all network devices, who need to deal with syslog in that network segment.
    You must always face the curtain with a bow.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Newbie
    Join Date
    Jun 2012
    Location
    SF Bay area
    Posts
    195
    Quote Originally Posted by Irithori View Post
    Afaik, this issue is independend of the syslog server implementation.
    512bytes is hardcoded because each line is sent via ONE udp packet.
    See RFC791


    We had a similar problem and recompiled rsyslog with 1024bytes as this should still fit in one packet.
    I wouldnt go beyond, unless you have jumbo frames configured working with all network devices, who need to deal with syslog in that network segment.
    That, meaning UDP limitations, was my gut instinct too. I know you can use TCP instead of UDP with syslog-ng so you can avoid the whole issue by switching.

  6. #5
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,410
    TCP (plus payload config, as syslog still assumes 512bytes) is a way, if you can live with the overhead.
    Todays machines and networks can, unless we are talking thousands of machines and high logging frequency.

    But this needs to be configured on both client and server.
    No problem with s/th like syslog-ng and rsyslog,
    but I am not sure about snare.
    I believe it has its own, syslog incompatible protocol over tcp, which offers authentication, encryption, etc
    You must always face the curtain with a bow.

  7. #6
    Just Joined!
    Join Date
    Jul 2012
    Posts
    5
    Thanks for all the help, I will try the above suggestions!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •