0

I use rsyslog to upload logs to my Graylog server

/etc/rsyslog.conf:

$InputFileName /var/log/apache-error.log
$InputFileFacility apache
$InputFileTag #apacheError:
$InputFileStateFile apache-error
$InputFileSeverity error
$InputRunFileMonitor

if $programname == '#apacheAccess' then @1.2.3.4:1514

Some long messages are truncated in Graylog (the end of the message is unavailable).

When I tried to upload a long message with netcat in UDP:

echo -n -e "$(for i in $(seq 0 64000); do echo -n '0123456789';done)" | nc -u 1.2.3.4 1514

The message is in Graylog (in multiple messages but all the message is available)

Why a part of a message from rsyslog is truncated, and a message from netcat not ?

Is a maximumSize parameter have to be increased or something ?

I tried 

$MaxMessageSize 256k
$MainMsgQueueDequeueBatchSize 256

but without success

Thx

enter image description here

Paul
  • 103
  • 4

1 Answers1

0

rsyslogd is using the syslog protocol, which is defined in RFC 3164. In section 4.1, it says

The total length of the packet MUST be 1024 bytes or less.

Therefore, rsyslog does the right thing in splitting the message up into smaller packets, in order to comply with the standard for syslog messages.

The reason why ncat sends the message as one huge blob is that ncat doesn't know anything about the protocol for the type of message you're sending, so it's not aware that it ought to be splitting the message up.

Jenny D
  • 27,780
  • 21
  • 75
  • 114