Sylog message sizing

Hi

What are your opinions on increasing the size of the syslog message.

Increasing syslog message size will potentially have a negative impact on the performance in log collection, normalization and parsing.

On the other hand it is important to be able to extract the necessary information from collected log messages, and some windows evenLog messages have increased over time.

Take for example event ID 4662 ‘An operation was performed on an object’, it can exceed 34000 in message size.

Another example is custom application logs, where developers might have another opinion, of what meaningful logs should contain.

Regards

Hans

Page 1 / 1

We have increased it to the maximum of 64K to collect and normalize the Windows PowerShell Script Block Logs.

Hi Markus

Really interesting - I was concerned that it would put too much stress on the system. But then again, as many of the normalizers are compiled, then it will reduce load.

Do you have any idea of how many large messages is being generated in 24 hours in your installation?

Regards

Hans

Reply

Sign up

Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.

Login to the community

Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.

Scanning file for viruses.

This file cannot be downloaded