Logs Truncated when send via UDP to remote syslog

jstride · Apr 17, 2020, 11:07 PM

I have remote syslog set up to two servers one a QNAP, the other Graylog. On both servers the messages being received are being truncated, however in the GUI on the pfSense box the messages are intact. Is there a setting hidden somewhere to change the length of the message?

Message in pfSense GUI

	{"timestamp": "2020-04-18T07:03:18.822373+0800", "flow_id": 2101513366712774, "in_iface": "lagg0.4090", "event_type": "dns", "src_ip": "110.146.238.103", "src_port": 53867, "dest_ip": "58.163.175.144", "dest_port": 53, "proto": "UDP", "dns": {"version": 2, "type": "answer", "id": 13830, "flags": "8410", "qr": true, "aa": true, "rrname": "epdg.epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "A", "rcode": "NOERROR", "answers": [{"rrname": "epdg.epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "A", "ttl": 10, "rdata": "101.168.246.65"}, {"rrname": "epdg.epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "A", "ttl": 10, "rdata": "101.168.246.193"}, {"rrname": "epdg.epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "A", "ttl": 10, "rdata": "149.135.226.9"}, {"rrname": "epdg.epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "A", "ttl": 10, "rdata": "149.135.224.24"}, {"rrname": "epdg.epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "A", "ttl": 10, "rdata": "144.135.83.107"}, {"rrname": "epdg.epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "A", "ttl": 10, "rdata": "149.135.136.48"}], "grouped": {"A": ["101.168.246.65", "101.168.246.193", "149.135.226.9", "149.135.224.24", "144.135.83.107", "149.135.136.48"]}, "authorities": [{"rrname": "epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "NS", "ttl": 3600}, {"rrname": "epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "NS", "ttl": 3600}]}}

Message in Graylog/QNAP

suricata[46298]: {"timestamp": "2020-04-18T07:03:43.792576+0800", "flow_id": 357262724892928, "in_iface": "lagg0.4090", "event_type": "dns", "src_ip": "110.146.238.103", "src_port": 16303, "dest_ip": "192.148.117.238", "dest_port": 53, "proto": "UDP", "dns": {"version": 2, "type": "answer", "id": 13863, "flags": "8410", "qr": true, "aa": true, "rrname": "epdg.epc.mnc001.mcc505.pub.3gppnetwork.org", "rrtype": "A", "rcode": "NOERROR", "answers": [{"rrname":

bmeeks · Apr 18, 2020, 12:31 AM

There is some variability between the various standards out there for how large of a UDP message syslog, rsyslog or clog supports. Some quick Google foo found suggested limits of 1,024 bytes, 8,192 bytes, 16,384 bytes and finally everyone agreed on an absolute upper limit of 64K bytes. The upper limit is imposed by the maximum amount of data allowed in a UDP datagram.

As to how to, and if you can, alter the limit on pfSense, I'm not sure. It could also be a limit being imposed by your remote syslog client. Some of them, (rsyslog I believe was one) have a default length that can be changed by the user.

So when you posted your pfSense GUI result, did you get that from looking at the actual system log entry under STATUS > SYSTEM LOGS, or were you looking at the EVE JSON log from Suricata itself? If you were looking at the actual pfSense system log and the message was intact there, it might actually be truncated on the receiving end by that syslog daemon. A packet capture would help you identify which side (pfSense or the remote receiver) is truncating the data.

jstride · Apr 22, 2020, 12:59 AM

@bmeeks the whole log was from pfSense syslog. Given both Graylog and QNAP truncate I'll investigate further with packet capture

digdug3 · Jun 20, 2020, 1:11 PM

Hi @jstride, did you figure this out yet? I've the same issue. For me it looks like pfsense is truncating the UDP message.

digdug3 · Jun 20, 2020, 1:16 PM

Ok, just found out pfSense is indeed truncating:
https://forum.netgate.com/topic/152220/suricata-eve-json-cutting-off-in-remote-logging/9