Description of problem:

The syslog output length limit is set to 4096 bytes. This configuration is not exposed, and increasing it in the collector configuration is impossible. The same situation is for rfc RFC3164 and RFC5424. The packet_size is set to 4096; The audit logs in OCP are longer than 4096 bytes. This results in a cut of these logs (about 20% of all audit logs).

 <match **>
    @type remote_syslog
    @id syslog_audit
    host logcollector01.example.com
    port 514
    rfc rfc5424
    facility kern
    severity Informational
    program ocpaudit
    protocol tcp
    packet_size 4096
    hostname "#{ENV['NODE_NAME']}"
    timeout 60
    timeout_exception true
    keep_alive true
    keep_alive_idle 75
    keep_alive_cnt 9
    keep_alive_intvl 7200
    .
    .
    .
  </match>

Version-Release number of selected component:

• OCP v4.10.20
• OpenShift Logging Operator: v5.4.4 (the same behavior is visible in cluster-logging v5.4.11)

Actual results:

• Audit logs that are longer than 4096 bytes are cut.

Expected results:

• Audit logs over 4096 bytes in length are forwarded successfully to the syslog server.

Additional info:

• Probably double the size of packet_size should be a good solution, or make this variable configurable and expose it in log forwarding custom resource.