I’m trying to transfer logs from syslog-ng to graylog via tcp.
First, I used syslog-ng’s “syslog” output to transfer logs to graylog. However, my logs were cut to 1064 bytes. Reading the documentation, I found out that the GELF input is supposed to solve this problem.
I now use syslog-ng’s graylog2 output to transfer my logs and GELF tcp input on graylog.
Except that my logs are still cut off at 1064 bytes …
I try to use the template(“$(gelf-format)”) on syslog-ng but that doesn’t seem to solve the problem.
Am I missing something ?
If you are sending logs with GELF, then this could help on the sensig side in your config:
Thanks for your reply !
I’m not sure where I’m supposed to put the configuration you gave me.
Can you give me more details ?
should look something like this
root # vi /etc/nxlog.conf
#Exec $raw_event = $raw_event;
Path in => out
I don’t have nxlog installed on my server.
I really think it’s a Graylog issue. When I configure syslog-ng to write the logs it receives to a file, I get the whole line, untruncated. Once in Graylog, this line is truncated to 1064 bytes.
Furthermore, on another infrastructure I maintain, with the exact same syslog-ng configuration, graylog does not truncate messages with syslog udp input. I’ve compared all the configuration files (syslog-ng and graylog), and they’re the same.
in addition, I did a little of tcpdump -A to see the data received at each step (syslog-ng in port, graylog in port). I can confirm that syslog-ng sends non-truncated messages to graylog.
I must admit I’m a bit confused…
At first you realy need a syslog input for this, where as a GELF input is for
a specific message format.
Than you could look at the settings for this port and check if max message size is set
After that there could be a system limitation that could shorten your message to 1064 bytes,
this should normally be 4k.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.