search cancel

How to extend syslog messages on Linux larger than 1024 bytes.

book

Article ID: 174322

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

By default Syslog is limited to a message size of 1024 bytes in DLP 14.6 and later.

Environment

For older Linux, such as RHEL/CentOS 5.x, syslog service has a hard-coded 
buffer of 1024 bytes. Messages are truncated when size>1024 bytes.
For newer Linux, such as RHEL/CentOS 6.x and above, the max message size 
of syslog is configurable, with default to 2kb or 8 kb. The actual syslog 
service is replaced by "rsyslog" (e.g. in CentOS) or "syslog-ng".

Resolution

edit /etc/rsyslog.conf to set $MaxMessageSize and enable UDP listener, 
e.g.

# Set max log message size in bytes. NOTE: it must be the 1st config line    
$MaxMessageSize 4k

# Provide UDP syslog reception
$ModLoad imudp
$UDPServerRun 514