I am parsing IIS logs with Logstash and noticed that cookie field is being truncated in some cases (displays "cookie" => "..." instead of the actual value).
I see that other cookies in the events of similar length are being processed correctly. Entire event length does not exceed 4,000 characters, so i suppose everything should fit.
What could have gone wrong?
Asked
Active
Viewed 206 times
0
Nik
- 161
- 1
- 13
1 Answers
0
This seems to be by design. See this post.
Cause This behavior is by design. The length of each IIS log field value is limited to 4096 bytes (4k). If one of the field values is greater than 4096 bytes, that value will be replaced with the three dots. In the above example, the client's Cookie was larger than 4096 bytes and was therefore replaced with (...).
Workaround To workaround this issue, use one of the following options:
Write your own custom logging module that does not have the 4096 byte field limitation.
OR
Reduce the size of the request or response header values to be logged so that they are less than 4096 bytes and will therefore not be replaced by the three dots.
You can instead add a custom field, set it to dump your value from server variables or request header and set the maxCustomFieldLength. However that seems to truncate the data to 4k rather than replacing it with "...". See this post. Slight improvement but not 100% ideal.
chrisp_68
- 1,731
- 23
- 41