Events displayed in Explore Logs are truncated - Aria Operations for Logs
search cancel

Events displayed in Explore Logs are truncated - Aria Operations for Logs

book

Article ID: 380380

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

  • The relevant log file on the host contains the complete error message event.
  • Log event shows incomplete in Explore Logs  
    2025-11-06T08:17:58Z <ESXihostFQDN> IDPS-EVT: [vnsyslogd@### msgModified="SF+UT" remoteHostMaxMsgLen="480" originalMsgLen="1777"] [#######]: {"timestamp":"2825-11-
06T08:17:18.976059+0000", "flow_id":########,"pcap_cnt":#########,"event_type": "alert", "src_ip":"###.###.###.###", "src_port": 58576,"dest_ip":"###.###.###.###","dest_port": 88 "proto":"TCP" "direction": "to_server","nsx_metadata":
("flow_src_ip":"###.###.###.###", "flow_dest_ip":"###.###.###.###", "f1
  • The ESXi host sending logs to Aria Operations for Logs is configured to use UDP this can be determined when running the command esxcli system syslog config get on the ESXi host. 
    [root@<hostname>:~] esxcli system syslog config get
   Allow Vsan Backing: false
   Check Certificate Revocation List: false
   Dropped Log File Rotation Size: 100
   Dropped Log File Rotations: 10
   Enforce SSLCertificates: true
   Local Log Output: /scratch/log
   Local Log Output Is Configured: false
   Local Log Output Is Persistent: true
   Local Logging Default Rotation Size: 1024
   Local Logging Default Rotations: 8
   Log Level: error
   Log To Unique Subdirectory: false
   Message Queue Drop Mark: 90
   Remote Host: udp://<Operationsforlogsfqdn>:514
   Remote Host Connect Retry Delay: 180
   Remote Host Maximum Message Length: 1024
   Strict X509Compliance: false
  • In Explore Logs the log event shows the remoteHostMaxMsgLen is 480 bytes but the orginalMsgLen is greater than 480 Bytes. 
  • The actual log event is of size greater than ~480 bytes, while in Explore Logs, only ~475 bytes are displayed from the message.
  • The hosts Syslog.global.remoteHost.maxMsgLen setting has been increased as per ESXi Syslog Options.

Environment

Aria Operations for Logs 8.x

Cause

As per the description of Syslog.global.remoteHost.maxMsgLen in ESXi Syslog Options:

This setting does not affect the UDP protocol. RFC 5426 specifies the UDP message lengths that can be safely accepted at 480 bytes for IPV4 and 1180 bytes for IPV6.

Resolution

In order for the host to transmit the complete error message event, reconfigure the host to use TCP instead.

  1. Login to Aria Operations for Logs
  2. Browse to Integrations >> vSphere
  3. Edit the integration and reconfigure the host to use TCP instead of UDP.
Powered by Wolken Software