Thank you very much I will proceed to do that. On 9 September 2015 at 18:40, Rainer Gerhards <[email protected]> wrote:
> 2015-09-09 13:00 GMT+02:00 Robert Gabriel <[email protected]>: > > Hi, > > > > We are receiving on TCP 514, FireEye syslog in XML concise format. > > > > Events appear to be truncated at different lengths. > > > > We have tried by increasing max message size but no joy. > > > > Please can we have some help? > > > > Thank you. > > > > $MaxMessageSize 512k > > $MainMsgQueueSize 100000 # 100000 may be a value to handle burst traffic > > > > $RuleSet FIREEYE > > $template FireEye,"%rawmsg%\n" > > $InputTCPServerBindRuleset FIREEYE > > $InputTCPServerRun 514 > > *.* /media/data/rsyslog/fireeye;FireEye > > & ~ > > $RuleSet RSYSLOG_DefaultRuleset > > > > And the TCP trace from Wireshark showing entire XML event: > > > > http://pastebin.com/2L3UGWtB > > The syslog header is seriously malformed. Maybe this is part of the > picture... > > can you add, on top of rsyslog.conf: > > *.* /var/log/msgdebug.log;RSYSLOG_DebugFormat > > This will write a couple of lines for each message showing how rsyslog > perceived the fields. Locate a message in question and post all lines > related to it. That hopefully helps us to see a bit clearer (if not, > we need a real debug log). > > Rainer > > > _______________________________________________ > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
