Showing results for 
Search instead for 
Did you mean: 
Level 7

Web Gateway logs truncated to 2049 characters

Noticed our LEEF formatted proxy logs are truncated to 2049 characters. This means whenever we get a large URL string, many of the fields at the end of our user defined log are missing. Example below

<30>Mby  8 19:44:35 xxx-pxoxy1 mxg: LEEF:1.0|Mcbfee|xex Gbtexby|7.2|0|devTime=1368042275000||usxNbme=-|httpStbtus=200|dst=xx.xx.xx.xx|uxlCbtegoxies=xusiness|xlockxebson=|uxl=|xfx=      <<<<<ends here at 2049 characters ( put string in file on linux and do a wc) but I actually had other fields like the below that do not show up. (above has been scrubbed from original)

Below are some the fields that get truncated










Is there some setting in 7.2 version that is causing this issue?

0 Kudos
4 Replies
McAfee Employee

Re: Web Gateway logs truncated to 2049 characters

Is this what is written to an actual file, or is this what is sent over syslog? If syslog, then I recall a change that is required to your settings, will look to see what I can find.



0 Kudos
Level 7

Re: Web Gateway logs truncated to 2049 characters

Correct, this is what syslog is sending to our SIEM.

0 Kudos
Level 15

Re: Web Gateway logs truncated to 2049 characters

You can change the default maximum size of the line from 2K to something bigger.

$MaxMessageSize <size_nbr>, default 2k - allows to specify maximum supported message size (both for sending and receiving). The default should be sufficient for almost all cases. Do not set this below 1k, as it would cause interoperability problems with other syslog implementations.

0 Kudos
Level 9

Re: Web Gateway logs truncated to 2049 characters

I was able to do this in 7.3.x but not in, we had encountered the same problem. It appears that the version of rsyslog on 7.2.x doesnt support this feature without a module, at least that what the error message said so I left it at that. We are planning on upgrading our prod cluster next week.

0 Kudos