2015-09-09 13:00 GMT+02:00 Robert Gabriel <[email protected]>: > Hi, > > We are receiving on TCP 514, FireEye syslog in XML concise format. > > Events appear to be truncated at different lengths. > > We have tried by increasing max message size but no joy. > > Please can we have some help? > > Thank you. > > $MaxMessageSize 512k > $MainMsgQueueSize 100000 # 100000 may be a value to handle burst traffic > > $RuleSet FIREEYE > $template FireEye,"%rawmsg%\n" > $InputTCPServerBindRuleset FIREEYE > $InputTCPServerRun 514 > *.* /media/data/rsyslog/fireeye;FireEye > & ~ > $RuleSet RSYSLOG_DefaultRuleset > > And the TCP trace from Wireshark showing entire XML event: > > http://pastebin.com/2L3UGWtB
The syslog header is seriously malformed. Maybe this is part of the picture... can you add, on top of rsyslog.conf: *.* /var/log/msgdebug.log;RSYSLOG_DebugFormat This will write a couple of lines for each message showing how rsyslog perceived the fields. Locate a message in question and post all lines related to it. That hopefully helps us to see a bit clearer (if not, we need a real debug log). Rainer > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
