-
Bug
-
Resolution: Won't Do
-
Undefined
-
None
-
Logging 5.4.11
-
False
-
None
-
False
-
NEW
-
NEW
-
-
Description of problem:
The syslog output length limit is set to 4096 bytes. This configuration is not exposed, and increasing it in the collector configuration is impossible. The same situation is for rfc RFC3164 and RFC5424. The packet_size is set to 4096; The audit logs in OCP are longer than 4096 bytes. This results in a cut of these logs (about 20% of all audit logs).
<match **> @type remote_syslog @id syslog_audit host logcollector01.example.com port 514 rfc rfc5424 facility kern severity Informational program ocpaudit protocol tcp packet_size 4096 hostname "#{ENV['NODE_NAME']}" timeout 60 timeout_exception true keep_alive true keep_alive_idle 75 keep_alive_cnt 9 keep_alive_intvl 7200 . . . </match>
Version-Release number of selected component:
- OCP v4.10.20
- OpenShift Logging Operator: v5.4.4 (the same behavior is visible in cluster-logging v5.4.11)
Actual results:
- Audit logs that are longer than 4096 bytes are cut.
Expected results:
- Audit logs over 4096 bytes in length are forwarded successfully to the syslog server.
Additional info:
- Probably double the size of packet_size should be a good solution, or make this variable configurable and expose it in log forwarding custom resource.
- is related to
-
OBSDA-344 Audit log forwarding produces excessive data, configuration for prefiltering is needed
- Closed