This article provides information regarding the default syslog message length present in ESXi host, and a way to change the same within the ESXi by manipulating the Syslog.global.remoteHost.maxMsgLen parameter.
Symptoms:
The NSXT-IDPS logs get truncated when sent from the ESXi host to any syslog server.
In the below IDPS event log, we can see the 1 IDPS event is getting broken down into 3 subsequent Syslog messages:
2023-09-25T16:07:57Z IDPS-EVT: [2105786]: {"timestamp":"2023-09-25T16:07:22.938586+0000","flow_id":8771907372xxxx,"pcap_cnt":89695629,"event_type":"alert","src_ip":"10.16.x.x","src_port":57762,"dest_ip":"20.x.x.x","dest_port":443,"proto":"TCP","direction":"to_server","metadata":{"flowbits":["LL.verifier_tcp_successful","LL.verifier_tcp_failed","LL.verifier_tcp_blocked"]},"nsx_metadata":{"flow_src_ip":"10.16.x.x","flow_dest_ip":"20.x.x.x","flow_dir":2,"rule_id":xxxx,"profile_id":"8e26cd1f-d749-4aa9-a2ee-xxxxxxxx","user_id":0,"vm_uuid":"5037439c-xxxx-1287-7662-xxxxxxxxxx"},"tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":4101124,"rev":4,"signature":"SLR Alert - OpenSSL TLS Heartbeat information disclosure (CVE-2014-0160)","category":"Attempted Information Leak","severity":2,"source":{"ip":"10.16.x.x","port":57762},"target":{"ip":"20.x.x.x","port":443},"metadata":{"lock":["false"],"type":["snort","suricata"],"policy":["snort-ips","snort-ids","suricata-ips","suricata-ids"],"created_at":["2
2023-09-25T16:07:57Z IDPS-EVT: 019_01_01","2019_01_01"],"detector_id":["101040"],"severity":["75"],"confidence":["70"],"exploited":["None"],"blacklist_mode":["TEST"],"ids_mode":["REAL"],"threat_name":["CVE-2014-0160 Exploit"],"threat_class_name":["hacking tool"],"server_side":["True"],"flip_endpoints":"serial":"33:00:XX:17:09:XX:XX:5B:F3:3C:XX:E4:72:00:00:00:XX:17:09","fingerprint":"6a:b3:c4:4b:8e:94:ab:49:2a:ae:50:xx:e9:26:3a:xx:xx:xx:xx:xx",","version":"TLS 1.2","notbefore":"2023-05-16T13:31:02","notafter":"2024-05-10T13:31:02","ja3":{"hash":"7c410ce832e848a3321432c9xxxxxx","string":"771,49196-xxxxx-xxxxx-49199-159-158-xxxxx-xxxxx-49192-49191-49162-xxxx-xxxx-49171-57-51-157-156-61-60-53-47-10-106-64-56-5
2023-09-25T16:07:57Z IDPS-EVT: 0-19,0-10-11-13-35-23-65281,29-23-24,0"},"ja3s":{"hash":"ae4exxxxx4d08308082ad26xxxxxx","string":"771,00000,23-65281"}},"app_proto":"tls","flow":{"pkts_toserver":5,"pkts_toclient":6,"bytes_toserver":1157,"bytes_toclient":4751,"start":"2023-09-25T16:07:22.570553+0000"}}