GELF input truncate message to 1064 bytes

mobarzik · September 12, 2023, 9:52am

Hello !

I’m trying to transfer logs from syslog-ng to graylog via tcp.

First, I used syslog-ng’s “syslog” output to transfer logs to graylog. However, my logs were cut to 1064 bytes. Reading the documentation, I found out that the GELF input is supposed to solve this problem.
https://go2docs.graylog.org/5-0/getting_in_log_data/gelf.html

I now use syslog-ng’s graylog2 output to transfer my logs and GELF tcp input on graylog.
Except that my logs are still cut off at 1064 bytes …

I try to use the template(“$(gelf-format)”) on syslog-ng but that doesn’t seem to solve the problem.

Am I missing something ?

Thank you

Arie · September 12, 2023, 12:06pm

Hi @mobarzik

If you are sending logs with GELF, then this could help on the sensig side in your config:

<Extension gelf>
    Module xm_gelf
 ShortMessageLength 65536
</Extension>

sc6

mobarzik · September 12, 2023, 12:20pm

Hi @Arie

Thanks for your reply !
I’m not sure where I’m supposed to put the configuration you gave me.

<Extension gelf>
    Module xm_gelf
 ShortMessageLength 65536
</Extension>

Can you give me more details ?

gsmith · September 12, 2023, 10:42pm

@mobarzik
should look something like this

root # vi /etc/nxlog.conf

<Extension gelf>
    Module xm_gelf
    ShortMessageLength 65536
</Extension>

<Input in>
    Module       im_file
    FILE         "/var/log/messages"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1    
 </Input>
 
<Output out>
    Module      om_udp
    Host        graylog.domain.com
    Port        5044
    OutputType  GELF_UDP    
    #Exec $raw_event = $raw_event;
</Output>

<Route>
    Path        in => out
</Route>

mobarzik · September 13, 2023, 8:29am

Hi @gsmith,

I don’t have nxlog installed on my server.

I really think it’s a Graylog issue. When I configure syslog-ng to write the logs it receives to a file, I get the whole line, untruncated. Once in Graylog, this line is truncated to 1064 bytes.

Furthermore, on another infrastructure I maintain, with the exact same syslog-ng configuration, graylog does not truncate messages with syslog udp input. I’ve compared all the configuration files (syslog-ng and graylog), and they’re the same.

in addition, I did a little of tcpdump -A to see the data received at each step (syslog-ng in port, graylog in port). I can confirm that syslog-ng sends non-truncated messages to graylog.

I must admit I’m a bit confused…

Arie · September 13, 2023, 9:12am

Hi @mobarzik

At first you realy need a syslog input for this, where as a GELF input is for
a specific message format.

Than you could look at the settings for this port and check if max message size is set

max_message_size: 2097152

After that there could be a system limitation that could shorten your message to 1064 bytes,
this should normally be 4k.

https://www.google.com/search?client=firefox-b-d&q=linux+set+tcp+receive+buffer+size

Good luck,
Arie

system · September 27, 2023, 9:12am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GELF message is too short. Not even the type header would fit Graylog Central (peer support)	13	2515	February 20, 2020
NXLOG failing to send GELF to graylog New to Graylog Community? READ-ME FIRST Guides	4	918	November 11, 2022
How large the GELF payload can be worked with UDP/TCP Graylog Central (peer support)	12	4441	March 21, 2018
GELF message ERROR in server.log Graylog Tech Challenges	6	2008	July 27, 2021
Graylog 2.4.3 - Problem with GELF Output Graylog Central (peer support) pipeline-rules	2	846	October 20, 2018

GELF input truncate message to 1064 bytes

Related Topics