I’m trying to transfer logs from syslog-ng to graylog via tcp.
First, I used syslog-ng’s “syslog” output to transfer logs to graylog. However, my logs were cut to 1064 bytes. Reading the documentation, I found out that the GELF input is supposed to solve this problem. https://go2docs.graylog.org/5-0/getting_in_log_data/gelf.html
I now use syslog-ng’s graylog2 output to transfer my logs and GELF tcp input on graylog.
Except that my logs are still cut off at 1064 bytes …
I try to use the template(“$(gelf-format)”) on syslog-ng but that doesn’t seem to solve the problem.
I really think it’s a Graylog issue. When I configure syslog-ng to write the logs it receives to a file, I get the whole line, untruncated. Once in Graylog, this line is truncated to 1064 bytes.
Furthermore, on another infrastructure I maintain, with the exact same syslog-ng configuration, graylog does not truncate messages with syslog udp input. I’ve compared all the configuration files (syslog-ng and graylog), and they’re the same.
in addition, I did a little of tcpdump -A to see the data received at each step (syslog-ng in port, graylog in port). I can confirm that syslog-ng sends non-truncated messages to graylog.