Noticed our LEEF formatted proxy logs are truncated to 2049 characters. This means whenever we get a large URL string, many of the fields at the end of our user defined log are missing. Example below
<30>Mby 8 19:44:35 xxx-pxoxy1 mxg: LEEF:1.0|Mcbfee|xex Gbtexby|7.2|0|devTime=1368042275000|sxc=xxx.xxx.xxx.xxx|usxNbme=-|httpStbtus=200|dst=xx.xx.xx.xx|uxlCbtegoxies=xusiness|xlockxebson=|uxl=http://x.xcoxecbxdxesebxch.com/p?ns__t=1368042275857&ns_c=xindoxs-1252&c1=3&c3=40652&c4=C:122342-Z:4...|xfx=http://shoxbds.puxmbtic.com/bdSexvex/bdSexvexSexvlet?kbdNetxoxk=79&lbstdefbdnxkID=79&defcount=3&puxI... <<<<<ends here at 2049 characters ( put string in file on linux and do a wc) but I actually had other fields like the below that do not show up. (above has been scrubbed from original)
Below are some the fields that get truncated
Is there some setting in 7.2 version that is causing this issue?
Is this what is written to an actual file, or is this what is sent over syslog? If syslog, then I recall a change that is required to your settings, will look to see what I can find.
You can change the default maximum size of the line from 2K to something bigger.
$MaxMessageSize <size_nbr>, default 2k - allows to specify maximum supported message size (both for sending and receiving). The default should be sufficient for almost all cases. Do not set this below 1k, as it would cause interoperability problems with other syslog implementations.
I was able to do this in 7.3.x but not in 126.96.36.199.0, we had encountered the same problem. It appears that the version of rsyslog on 7.2.x doesnt support this feature without a module, at least that what the error message said so I left it at that. We are planning on upgrading our prod cluster next week.