I'm trying with 1.8.13 to get full logging of requests that would push
the syslog message beyond 1024 characters. I'm not having very good luck.
I have this config in global:
log 127.0.0.1 len 65535 format rfc5424 local0
log 127.0.0.1 len 65535 format rfc5424 local1 notice
In some of the backends, I have this:
no log
log 127.0.0.1 len 65535 format rfc5424 local0 notice err
Can't remember precisely why I did that, but I came up with that config
(minus the len and format parameters) a while back after discussing
something with this mailing list.
Here's a logging message from a test with a long URL path:
Aug 14 14:25:48 smeagol haproxy[39296] 209.63.XXX.YYY:30626
[14/Aug/2018:14:25:48.365] web-443~ be-ssl-purg-4001/gollum 0/0/1/37/43
404 18221 - - --VN 2/2/0/1/0 0/0 {REDACTED} "GET
/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/eee/ddd/rrr/fff/111/ee"
The actual URL path that I tried to access is about half again as long
as what got logged. Notice that there is a quote at the end of the
message, telling me that haproxy truncated the request and put quotes
around it.
I did a packet capture of the UDP/514 traffic and it shows that rsyslogd
did log all of what was sent. In the rsyslogd config, I have
"$MaxMessageSize 64k" to ensure that the config is good on that side.
I read somewhere that UDP can artificially reduce the max packet size to
4K, but this URL was not long enough to exceed that size, so I'm not
overly concerned about it right now. I did not see any way in haproxy
to request TCP for the syslog. Ultimately I would like to be able to
handle more than 4K -- for the Solr servers at work, there are sometimes
requests about 20K in length.
Aside from enabling the capture of the "host" header, which I redacted
from the log entry above, I have not modified the http log format.
Is there any config that will successfully log the full request?
Thanks,
Shawn
