Is the sending system truncating things? Some versions of logger don't
support sending very large messages.
I've used this before to send massive messages to rsyslog:
#!/usr/bin/python
import syslog, fileinput
def mainloop():
for myline in fileinput.input():
syslog.syslog("Authgateway|"+str(myline))
if __name__=='__main__':
mainloop()
You could call that logger or logger.py and pipe your syslog data to that.
Hope that helps.
Cheers,
JB
On Wed, Sep 9, 2015 at 7:00 AM, Robert Gabriel <[email protected]> wrote:
> Hi,
>
> We are receiving on TCP 514, FireEye syslog in XML concise format.
>
> Events appear to be truncated at different lengths.
>
> We have tried by increasing max message size but no joy.
>
> Please can we have some help?
>
> Thank you.
>
> $MaxMessageSize 512k
> $MainMsgQueueSize 100000 # 100000 may be a value to handle burst traffic
>
> $RuleSet FIREEYE
> $template FireEye,"%rawmsg%\n"
> $InputTCPServerBindRuleset FIREEYE
> $InputTCPServerRun 514
> *.* /media/data/rsyslog/fireeye;FireEye
> & ~
> $RuleSet RSYSLOG_DefaultRuleset
>
> And the TCP trace from Wireshark showing entire XML event:
>
> http://pastebin.com/2L3UGWtB
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
