GELF input truncate message to 1064 bytes

Hello !

I’m trying to transfer logs from syslog-ng to graylog via tcp.

First, I used syslog-ng’s “syslog” output to transfer logs to graylog. However, my logs were cut to 1064 bytes. Reading the documentation, I found out that the GELF input is supposed to solve this problem.

I now use syslog-ng’s graylog2 output to transfer my logs and GELF tcp input on graylog.
Except that my logs are still cut off at 1064 bytes …

I try to use the template(“$(gelf-format)”) on syslog-ng but that doesn’t seem to solve the problem.

Am I missing something ?

Thank you

Hi @mobarzik

If you are sending logs with GELF, then this could help on the sensig side in your config:

<Extension gelf>
    Module xm_gelf
 ShortMessageLength 65536


Hi @Arie

Thanks for your reply !
I’m not sure where I’m supposed to put the configuration you gave me.

<Extension gelf>
    Module xm_gelf
 ShortMessageLength 65536

Can you give me more details ?

should look something like this

root # vi /etc/nxlog.conf

<Extension gelf>
    Module xm_gelf
    ShortMessageLength 65536

<Input in>
    Module       im_file
    FILE         "/var/log/messages"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1    
<Output out>
    Module      om_udp
    Port        5044
    OutputType  GELF_UDP    
    #Exec $raw_event = $raw_event;

    Path        in => out

Hi @gsmith,

I don’t have nxlog installed on my server.

I really think it’s a Graylog issue. When I configure syslog-ng to write the logs it receives to a file, I get the whole line, untruncated. Once in Graylog, this line is truncated to 1064 bytes.

Furthermore, on another infrastructure I maintain, with the exact same syslog-ng configuration, graylog does not truncate messages with syslog udp input. I’ve compared all the configuration files (syslog-ng and graylog), and they’re the same.

in addition, I did a little of tcpdump -A to see the data received at each step (syslog-ng in port, graylog in port). I can confirm that syslog-ng sends non-truncated messages to graylog.

I must admit I’m a bit confused…

Hi @mobarzik

At first you realy need a syslog input for this, where as a GELF input is for
a specific message format.

Than you could look at the settings for this port and check if max message size is set

max_message_size: 2097152

After that there could be a system limitation that could shorten your message to 1064 bytes,
this should normally be 4k.

Good luck,

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.