Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-3727

The length of the syslog packet_size set to 4096 is not sufficient

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • Logging 5.4.11
    • Log Collection
    • False
    • None
    • False
    • NEW
    • NEW

      Description of problem:

      The syslog output length limit is set to 4096 bytes. This configuration is not exposed, and increasing it in the collector configuration is impossible. The same situation is for rfc RFC3164 and RFC5424. The packet_size is set to 4096; The audit logs in OCP are longer than 4096 bytes. This results in a cut of these logs (about 20% of all audit logs).

       

       <match **>
          @type remote_syslog
          @id syslog_audit
          host logcollector01.example.com
          port 514
          rfc rfc5424
          facility kern
          severity Informational
          program ocpaudit
          protocol tcp
          packet_size 4096
          hostname "#{ENV['NODE_NAME']}"
          timeout 60
          timeout_exception true
          keep_alive true
          keep_alive_idle 75
          keep_alive_cnt 9
          keep_alive_intvl 7200
          .
          .
          .
        </match>

       

       

      Version-Release number of selected component:

      • OCP v4.10.20
      • OpenShift Logging Operator: v5.4.4 (the same behavior is visible in cluster-logging v5.4.11)

      Actual results:

      • Audit logs that are longer than 4096 bytes are cut.

      Expected results:

      • Audit logs over 4096 bytes in length are forwarded successfully to the syslog server.

      Additional info:

      • Probably double the size of packet_size should be a good solution, or make this variable configurable and expose it in log forwarding custom resource.

            syedriko_sub@redhat.com Sergey Yedrikov
            rhn-support-rludva Radomir Ludva
            Votes:
            2 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: