Hey all. We have some rather long messages in graylog, around 3000 characters in size. Unfortunately they are being truncated. As you can see in the image below, the end of the msg field is cut off. Even when receiving an email alert about the field, it is also being cut off, so it’s definitely not something from the UI.
Is it possible to increase the message limit so that they would no longer be truncated?
We’re using the following Ossec 3.1 for log collection, sending messages to a CEF UDP input in Graylog 2.5.
please correct me if i´m wrong. I am still pretty new to all of this, but i think that Graylog writes everything into elasticsearch and depends on its limits.
Which Version of ES are you using?
I could think of a limit of 1024 characters in elasticsearch. Maybe you should search in this direction and, if possible, try to change it there.
We are using the latest version of Elasticsearch. We also tried manually adding a longer message to elasticsearch and it was added correctly without being truncated. The issue lies in either graylog or Ossec.
Some things for debugging. (I don’t know the error)
If the message plain text- use tcpdump to check the message content what graylog get. GL does get the full message?
Check GL’s log, maybe it logs it’s problem.
The Graylog writes the message in message field, you have problem with msg field, so something happened with your message.
The basic syslog format have a length limit.
You can also have problems with your input or OS’ communication/cache/buffer limits.
I did a tcpdump and it turns out it’s being sent truncated by OSSEC. Probably due to syslog_output. Thank you for the help everyone. I’ll check on their forums.
