On Sat, 24 Oct 2009, Clayton Dukes wrote: > I think the problem may be that sysread is limiting to 1024 because > that is how the RFC defines a syslog message - it's not supposed to > exceed that. Whatever system that's sending messages of 1600 bytes > isn't following the rules of the protocol...shame on them? > > http://www.faqs.org/rfcs/rfc3164.html (see section 4.1)
FYI there is a new syslog RFC http://www.faqs.org/rfcs/rfc5424.html which specifies that syslog daemons should accept 2k messages (see section 6.1) now this was only published in march 2009, so it hasn't been out there very long, and it does mandate some things that traditional syslog daemons do not do (supporting TLS transport for example) so you can't take it as 'syslog now supports this', but instead that some syslog daemons support this, and more are expected to in the future. the main author of this is also the lead developer of rsyslog, so rsyslog complies with this. I think (but have not checked) that syslog-ng also complies with this. David Lang > > On Fri, Oct 23, 2009 at 6:17 PM, Ronald San Juan > <ronald.sanj...@telus.com> wrote: >> Hi, >> >> I am using SEC v2.5. The problem I have is SEC doesn't seem to read on lines >> with over 1024 characters in length. I found out that it is using sysread() >> which has limitations to 1024 characters. >> >> Scenario:The logfile has lines reaching 1600 characters in length. >> >> rule: >> >> type=singlewiththreshold >> ptype=regexp >> pattern=(routing.jsp_servlet._dialogs) >> desc=$0 >> action=write - $0 >> window=10 >> thresh=10 >> >> result: >> >> When thresh is set to 10, the rule is loaded but I do not get any result. >> The threshold is definitely being met as the pattern occurs at least 10 >> times per second. When I set the thresh to 1, I get the results. Basically, >> setting the thresh to any number greater than one does not trigger the >> alarm. >> >> I'm thinking beacause of the limitation of sysread to 1024 characters, SEC >> is unable to process multiple lines in a singlewiththreshold window. >> >> I tried the same rule to a similar file whose characters per line does not >> exceed 1024 and it works fine. >> >> Is there a way to bypass this without having to split the lines? Is there a >> function I can use to replace sysread(1024)? >> >> Any help will do. Thanks in advance. >> >> >> Regards, >> >> Ronald >> ------------------------------------------------------------------------------ >> Come build with us! The BlackBerry(R) Developer Conference in SF, CA >> is the only developer event you need to attend this year. Jumpstart your >> developing skills, take BlackBerry mobile applications to market and stay >> ahead of the curve. Join us from November 9 - 12, 2009. Register now! >> http://p.sf.net/sfu/devconference >> _______________________________________________ >> Simple-evcorr-users mailing list >> Simple-evcorr-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >> >> > > > > ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
