On Wed, 9 Sep 2015, Robert Gabriel wrote:
Hi,
We are receiving on TCP 514, FireEye syslog in XML concise format.
Events appear to be truncated at different lengths.
We have tried by increasing max message size but no joy.
Please can we have some help?
Thank you.
$MaxMessageSize 512k
$MainMsgQueueSize 100000 # 100000 may be a value to handle burst traffic
$RuleSet FIREEYE
$template FireEye,"%rawmsg%\n"
$InputTCPServerBindRuleset FIREEYE
$InputTCPServerRun 514
*.* /media/data/rsyslog/fireeye;FireEye
& ~
$RuleSet RSYSLOG_DefaultRuleset
And the TCP trace from Wireshark showing entire XML event:
http://pastebin.com/2L3UGWtB
There are two things that can cause the message to be truncated over TCP
1. exceeding max message size
2. a newline
since xml doesn't consider a newline anything special, if this is just sending
it as-is, that could be the cause of the problem
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
