• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Logs Truncated when send via UDP to remote syslog

Scheduled Pinned Locked Moved General pfSense Questions
5 Posts 3 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jstride
    last edited by Apr 17, 2020, 11:07 PM

    I have remote syslog set up to two servers one a QNAP, the other Graylog. On both servers the messages being received are being truncated, however in the GUI on the pfSense box the messages are intact. Is there a setting hidden somewhere to change the length of the message?

    Message in pfSense GUI

    	{"timestamp": "2020-04-18T07:03:18.822373+0800", "flow_id": 2101513366712774, "in_iface": "lagg0.4090", "event_type": "dns", "src_ip": "110.146.238.103", "src_port": 53867, "dest_ip": "58.163.175.144", "dest_port": 53, "proto": "UDP", "dns": {"version": 2, "type": "answer", "id": 13830, "flags": "8410", "qr": true, "aa": true, "rrname": "epdg.epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "A", "rcode": "NOERROR", "answers": [{"rrname": "epdg.epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "A", "ttl": 10, "rdata": "101.168.246.65"}, {"rrname": "epdg.epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "A", "ttl": 10, "rdata": "101.168.246.193"}, {"rrname": "epdg.epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "A", "ttl": 10, "rdata": "149.135.226.9"}, {"rrname": "epdg.epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "A", "ttl": 10, "rdata": "149.135.224.24"}, {"rrname": "epdg.epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "A", "ttl": 10, "rdata": "144.135.83.107"}, {"rrname": "epdg.epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "A", "ttl": 10, "rdata": "149.135.136.48"}], "grouped": {"A": ["101.168.246.65", "101.168.246.193", "149.135.226.9", "149.135.224.24", "144.135.83.107", "149.135.136.48"]}, "authorities": [{"rrname": "epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "NS", "ttl": 3600}, {"rrname": "epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "NS", "ttl": 3600}]}}
    

    Message in Graylog/QNAP

    suricata[46298]: {"timestamp": "2020-04-18T07:03:43.792576+0800", "flow_id": 357262724892928, "in_iface": "lagg0.4090", "event_type": "dns", "src_ip": "110.146.238.103", "src_port": 16303, "dest_ip": "192.148.117.238", "dest_port": 53, "proto": "UDP", "dns": {"version": 2, "type": "answer", "id": 13863, "flags": "8410", "qr": true, "aa": true, "rrname": "epdg.epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "A", "rcode": "NOERROR", "answers": [{"rrname":
    
    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by bmeeks Apr 18, 2020, 12:31 AM Apr 18, 2020, 12:27 AM

      There is some variability between the various standards out there for how large of a UDP message syslog, rsyslog or clog supports. Some quick Google foo found suggested limits of 1,024 bytes, 8,192 bytes, 16,384 bytes and finally everyone agreed on an absolute upper limit of 64K bytes. The upper limit is imposed by the maximum amount of data allowed in a UDP datagram.

      As to how to, and if you can, alter the limit on pfSense, I'm not sure. It could also be a limit being imposed by your remote syslog client. Some of them, (rsyslog I believe was one) have a default length that can be changed by the user.

      So when you posted your pfSense GUI result, did you get that from looking at the actual system log entry under STATUS > SYSTEM LOGS, or were you looking at the EVE JSON log from Suricata itself? If you were looking at the actual pfSense system log and the message was intact there, it might actually be truncated on the receiving end by that syslog daemon. A packet capture would help you identify which side (pfSense or the remote receiver) is truncating the data.

      J 1 Reply Last reply Apr 22, 2020, 12:59 AM Reply Quote 0
      • J
        jstride @bmeeks
        last edited by Apr 22, 2020, 12:59 AM

        @bmeeks the whole log was from pfSense syslog. Given both Graylog and QNAP truncate I'll investigate further with packet capture

        1 Reply Last reply Reply Quote 0
        • D
          digdug3
          last edited by Jun 20, 2020, 1:11 PM

          Hi @jstride, did you figure this out yet? I've the same issue. For me it looks like pfsense is truncating the UDP message.

          1 Reply Last reply Reply Quote 0
          • D
            digdug3
            last edited by Jun 20, 2020, 1:16 PM

            Ok, just found out pfSense is indeed truncating:
            https://forum.netgate.com/topic/152220/suricata-eve-json-cutting-off-in-remote-logging/9

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received