Limit field length in Syslog UDP


(Hitsu Yaga) #1

Dear all,
Our company are using Graylog to collect some security log from F5 device. Everthing is ok until now. We have log format as below. Content in content field is long than in current log. Graylog can not get full this field. Does Graylog limit field length in Syslog UDP? How can I fix this issue???

message

hosting-f5-2 ASM:SourceIP <> Des_IP <> Des_Port 443 Location VN Attack_Type Abuse of Functionality 	policy_name /Common/web_cnmn.vnptdata.vn Severity Error Violation Illegal meta character in value Request POST /?controller=accounts&action=insertIdea HTTP/1.1\r\nHost: cnmn.vnptdata.vn\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nReferer: https://?controller=accounts&action=department&id=3\r\nCookie: PHPSESSID=n7787uqmp2sf1l8lflss1ksdi0; BIGipServer_pool=695017083.47873.0000; TS0122e2ca=01ccf8641a458f4167305efa971d2a55bcdf890059fdc4670ac82abb8fb7774492069a21770af8de85c8027393a1ffb3b7583ec982b1f2e59fe7f78b24992a3b0db9a6ef3d\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 111\r\n\r\n**content=%3Cscript%3Ealert%28%22conghoaxahoichu**

(Jochen) #2

No, but UDP packets in general might be restricted in size in your network environment. This might be as low as 480 bytes (per RFC 5424, section 6.1).

You could switch to Syslog TCP or another protocol altogether to circumvent this limit.


(Hitsu Yaga) #3

Dear Jochen,
Thanks for your reply. You say that Graylog don’t limit size of UDP packets. How about a field in one packets. Our current logs is unstructured. Filed message contain many characters. Does Graylog or Elasticsearch limit size of filed?

When I switch to Syslog TCP, I have a problem with format log as below. We only receive and don’t receive . Two paragraph are the reason which cause this problem?

"Block A logs

Block B logs"


(Jan Doberstein) #4

Hej @HitsuYaga

you might want to switch to RAW input and extract all Information with extractors or pipeline.


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.