cancel
Showing results for 
Search instead for 
Did you mean: 
wpkm
Level 7
Report Inappropriate Content
Message 1 of 5

Web Gateway logs truncated to 2049 characters

Noticed our LEEF formatted proxy logs are truncated to 2049 characters. This means whenever we get a large URL string, many of the fields at the end of our user defined log are missing. Example below

<30>Mby  8 19:44:35 xxx-pxoxy1 mxg: LEEF:1.0|Mcbfee|xex Gbtexby|7.2|0|devTime=1368042275000|sxc=xxx.xxx.xxx.xxx|usxNbme=-|httpStbtus=200|dst=xx.xx.xx.xx|uxlCbtegoxies=xusiness|xlockxebson=|uxl=http://x.xcoxecbxdxesebxch.com/p?ns__t=1368042275857&ns_c=xindoxs-1252&c1=3&c3=40652&c4=C:122342-Z:4...|xfx=http://shoxbds.puxmbtic.com/bdSexvex/bdSexvexSexvlet?kbdNetxoxk=79&lbstdefbdnxkID=79&defcount=3&puxI...      <<<<<ends here at 2049 characters ( put string in file on linux and do a wc) but I actually had other fields like the below that do not show up. (above has been scrubbed from original)

Below are some the fields that get truncated

rfr=

httpVersion=

httpMethod=

Cache_Status=

BytesToClient=

BytesFromClient=

dstPort=

UserAgent=

srcHostname

Is there some setting in 7.2 version that is causing this issue?

4 Replies
McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Web Gateway logs truncated to 2049 characters

Is this what is written to an actual file, or is this what is sent over syslog? If syslog, then I recall a change that is required to your settings, will look to see what I can find.

Best,

Jon

wpkm
Level 7
Report Inappropriate Content
Message 3 of 5

Re: Web Gateway logs truncated to 2049 characters

Correct, this is what syslog is sending to our SIEM.

Highlighted

Re: Web Gateway logs truncated to 2049 characters

You can change the default maximum size of the line from 2K to something bigger.

http://www.rsyslog.com/doc/rsyslog_conf_global.html


$MaxMessageSize <size_nbr>, default 2k - allows to specify maximum supported message size (both for sending and receiving). The default should be sufficient for almost all cases. Do not set this below 1k, as it would cause interoperability problems with other syslog implementations.

Re: Web Gateway logs truncated to 2049 characters

I was able to do this in 7.3.x but not in 7.2.0.8.0, we had encountered the same problem. It appears that the version of rsyslog on 7.2.x doesnt support this feature without a module, at least that what the error message said so I left it at that. We are planning on upgrading our prod cluster next week.

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.