Message is shown as truncated in Wireshark when to_syslog_ietf() is used.

#1 Prakash13011993 2 years ago

I am using nx log IETF ( i.e. to_syslog_ietf() ) format to write logs. But in Wireshark (Packet Detail Window)the message is shown as following .

Message [truncated]: 1 2022-08-11T10:45:38.152473+05:30 LINL190403680 NCM 0 - [NXLOG@14506 Keywords="36028797018963968" EventType="INFO" EventID="0" Version="0" Task="0" OpcodeValue="0" RecordNumber="24530" ThreadID="0" Channel="Applicati Syslog version: 1 Syslog timestamp: Aug 11, 2022 10:45:38.000000000 UTC Syslog hostname: LINL190403680 Syslog app name: NCM Syslog process id: 0 Syslog message id [truncated]: - [NXLOG@14506 Keywords="36028797018963968" EventType="INFO" EventID="0" Version="0" Task="0" OpcodeValue="0" RecordNumber="24530" ThreadID="0" Channel="Application" Opcode="Info" EventReceivedTime="2022-08-

whereas using BSD format not causing this issue. Required format is shown below Priority (enclosed in < >) representing both facility and severity <30> Syslog Version: 1 Syslog timestamp: 2022-08-11T10:45:38.152473+05:30 Syslog hostname: LINL190403680 Syslog app name: NCM Syslog Process id: 0 Message identifier:
Optional message specific properties (structured data) (enclosed in [ ]) : [NXLOG@14506 Keywords="36028797018963968" EventType="INFO" EventID="0" Version="0" Task="0" OpcodeValue="0" RecordNumber="24530" ThreadID="0" Channel="Application" Opcode="Info" EventReceivedTime="2022-08-11 10:45:38" SourceModuleName="ExtendedWindowsToCollect" SourceModuleType="im_msvistalog"] a human readable message (encoded in UTF-8 and starting with BOM, or ASCII 7 only bytes) : [CB-002] Application is stopped sucessfully.

Permalink

#2 jeffron Nxlog ✓ 2 years ago

#1 Prakash13011993

I am using nx log IETF ( i.e. to_syslog_ietf() ) format to write logs. But in Wireshark (Packet Detail Window)the message is shown as following . Message [truncated]: 1 2022-08-11T10:45:38.152473+05:30 LINL190403680 NCM 0 - [NXLOG@14506 Keywords="36028797018963968" EventType="INFO" EventID="0" Version="0" Task="0" OpcodeValue="0" RecordNumber="24530" ThreadID="0" Channel="Applicati Syslog version: 1 Syslog timestamp: Aug 11, 2022 10:45:38.000000000 UTC Syslog hostname: LINL190403680 Syslog app name: NCM Syslog process id: 0 Syslog message id [truncated]: - [NXLOG@14506 Keywords="36028797018963968" EventType="INFO" EventID="0" Version="0" Task="0" OpcodeValue="0" RecordNumber="24530" ThreadID="0" Channel="Application" Opcode="Info" EventReceivedTime="2022-08- whereas using BSD format not causing this issue. Required format is shown below Priority (enclosed in < >) representing both facility and severity <30> Syslog Version: 1 Syslog timestamp: 2022-08-11T10:45:38.152473+05:30 Syslog hostname: LINL190403680 Syslog app name: NCM Syslog Process id: 0 Message identifier: Optional message specific properties (structured data) (enclosed in [ ]) : [NXLOG@14506 Keywords="36028797018963968" EventType="INFO" EventID="0" Version="0" Task="0" OpcodeValue="0" RecordNumber="24530" ThreadID="0" Channel="Application" Opcode="Info" EventReceivedTime="2022-08-11 10:45:38" SourceModuleName="ExtendedWindowsToCollect" SourceModuleType="im_msvistalog"] a human readable message (encoded in UTF-8 and starting with BOM, or ASCII 7 only bytes) : [CB-002] Application is stopped sucessfully.

Hi Prakash,

There are cases when large events may cause a problem during transport or for processing by the receiving end. Such a case may be packet fragmentation when using UDP. To prevent this issue, the event may be truncated to make sure that it does not exceed a specific size. The length of syslog_ietf events is most often greater than that of syslog_bsd events due to the event structure.

Kindly review the link for more information on this and how to control this in your configuration.

Regards,

Jeffron