Long audit log entries may be truncated when remotely logged via syslog

book

Article ID: 158987

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

When logging audit data to syslog, some very long audit entries appear truncated in the remote syslog file. This is most noticeable when the SUBJECT audit entry contains base 64 encoded data as some log viewers may not recognize the truncated base64 encoded data as the expected character set or a message has a large number of recipients resulting in a large ORCPTS audit entry.

Local audit data stored on the SMG system is unaffected.

Sample truncated syslog entry

Feb 21 10:00:31 ecelerity: 1393005631|c0a80205-b7f7c8e0000011ad-0f-
5307943c27df|ORCPTS|[email protected]|[email protected]|[email protected]
in.com|[email protected]|[email protected]|[email protected]|user
[email protected]|[email protected]|[email protected]|[email protected]
in.com|[email protected]|[email protected]|[email protected]|use
[email protected]|[email protected]|[email protected]|[email protected]
in.com|[email protected]|[email protected]|[email protected]|us
[email protected]|[email protected]|[email protected]|[email protected]
in.com|[email protected]|[email protected]|[email protected]|u
[email protected]|[email protected]|[email protected]|[email protected]
in.com|[email protected]|[email protected]|[email protected]|u
[email protected]|[email protected]|[email protected]|[email protected]
in.com|[email protected]|[email protected]|[email protected]|use
[email protected]|user

Cause

Messaging Gateway truncates the audit data at 1024 characters when preparing it for delivery to syslog. This is due to a limitation in syslog which causes messages longer than 1024 bytes to be split across multiple log entries.

The decision to limit remote syslog logging of audit entries in this way was determined to present the best option for continuing to allow syslog logging of log data while respecting the operational limits of common syslog receivers.

Resolution

The size for individual lines in a remote syslog can be changed from the default of 1024 to 4096 under (Administration > Logs > Remote) enable "Allow extended length lines in syslog".