Help Center Logpoint Docs Idea Portal Logpoint.com

Howto: Increase maximum size of syslog message

  • 1 July 2021
  • 1 reply
  • 626 views
markus.nebel@8com.de
Userlevel 4
Badge +8

In the default configuration the syslog_collector process only accepts messages (log lines) with a maximum of 10000 bytes (characters). This results in truncated messages and thus they will not be normalized correctly. Especially powershell script blocks may contain important information, but generate very long log messages.


Unfortunately this is a fixed value in the syslog_collector binary.
At least the c code is avialable in the system and you can adjust the values and compile the binary again.

For this you need sudo/root access.

sudo -i # become root
cd /opt/immune/installed/col/apps/collector_c/syslog_collector/
cp syslog_collector.h syslog_collector.h.bak # create a backup of the file
nano syslog_collector.h

change the value here in this line: 


compile the syslog collector using:

/opt/immune/bin/envdo make clean
/opt/immune/bin/envdo make
sv restart /opt/immune/etc/service/syslog_collector/ # restart the service

It would be a great feature to be able to set this value within the web UI.

1 reply

Rupsan Shrestha
Rank
Userlevel 2
Badge +3

Thanks for pointing this out Marcus, The hardcoded limit was provided to prevent the normalization layer from using too much memory and cpu as longer message will cause the normalizers to use more resources.

However we have received many such requests regarding the hardcoded limit on the message size.

As of now this is the only way to increase the maximum size of syslog messages. Hope this process is more easier in future and can be done from the GUI itself. 

Best Regards, Rupsan

Reply


Terms & ConditionsCookie settings