RSA enVision^® Discussions

RSAAdmin · ‎2012-09-17

Hi,

When syslog configuration on Aix server is configured to send logs directly to RSA envision collector, the complete log reaches the collector.

But when it was configured through proxy(syslog ng) the log is getting truncated.

I could see the complete log that reaches proxy server using tcpdump, but when it reaches collector its been truncated. Especially the "message forwarded from"string in Aix logs is getting truncated.

As the stock parser of Aix always has "message forwarded from" in the xml header, so the logs from Aix discovers as unknown or linux.

Any troubleshooting steps please assist?

RSAAdmin · ‎2012-09-18

If I understand your post correctly, you must be receiving the messages on the collector at UDP port 514. What's the length of each message? Messages longer than 1947 bytes are truncated by the collector.

RSAAdmin · ‎2012-09-20

Logs are received through port TCP 514.

The same message is received in collector without truncating, when sylog is configured directly to collector without proxy in between.

RSAAdmin · ‎2012-09-20

Would you like to explore and play with "Remove relay headers" setting in the device attributes or on the syslog ng side.

Or capture the outgoing message on the syslog ng server as well as capture incoming message on collector to check if the whole message is hiting the network before we say it is application which is truncating the message.

I hope this may help you finding the real problem or if you are missing any configuration on either side.

RSAAdmin · ‎2012-09-23

Tried with "remove relay headers" but no luck.

while doing a tcpdump in proxy I am able to see a complete log with "message forwarded from" in it.

But in collector it does not.

RSA enVision® Discussions

Aix Logs getting truncated

RSA enVision^® Discussions