We moved from the legacy kiwi syslog to NG this morning and discovered that the NG is truncating logs at 1024 characters. The legacy version is not.
Is there a setting available to adjust this?
Thanks!
KSS NG should not truncate any syslog messages. Can you provide some more details/evidence so we can investigate it? Thanks
Yep I will gather it up and get it to you as soon as I can. Thanks!
Sample of a Log being cut off - Windows security log. You can see it cuts "WriteAttribute" in half, and doesn't complete the JSON syntax
<>Original Address=<redacted> 1 2023-10-23T18:37:30.057Z <redacted> Kiwi_SyslogNet_Server 7804 MSGOUT {"EventTime":"2023-10-23 14:37:30","Hostname":"<redacted>","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4656,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"<redacted>","Version":1,"Task":12800,"OpcodeValue":0,"RecordNumber":562850345,"ProcessID":4,"ThreadID":8404,"Channel":"Security","Message":"A handle to an object was requested.\r\n\r\nSubject:\r\n Security ID: <redacted>\r\n Account Name: <redacted>\r\n Account Domain: <redacted>\r\n Logon ID: <redacted>\r\n\r\nObject:\r\n Object Server: Security\r\n Object Type: File\r\n Object Name: E:HOME<redacted>\r\n Handle ID: <redacted>\r\n Resource Attributes: -\r\n\r\nProcess Information:\r\n Process ID: 0x4\r\n Process Name: \r\n\r\nAccess Request Information:\r\n Transaction ID: <redacted>\r\n Accesses: SYNCHRONIZE\r\n ReadAttributes\r\n WriteAttri
A sample of a log from legacy Kiwi that did not get truncated:
Kiwi_Syslog_Server Original Address=<redacted> {"EventTime": "2023-10-25 15:15:45","Hostname": "<redacted>","Keywords": -9214364837600034816,"EventType": "AUDIT_SUCCESS","SeverityValue": 2,"Severity": "INFO","EventID": 4656,"SourceName": "Microsoft-Windows-Security-Auditing","ProviderGuid": "<redacted>","Version": 1,"Task": 12800,"OpcodeValue": 0,"RecordNumber": "<redacted>","ProcessID": 4,"ThreadID": 9000,"Channel": "Security","Message": "A handle to an object was requested. | Subject: | Security ID: <redacted> | Account Name: <redacted> | Account Domain: <redacted> | Logon ID: <redacted> | Object: | Object Server: Security | Object Type: File | Object Name: <redacted> | Handle ID: <redacted> | Resource Attributes: - | Process Information: | Process ID: 0x4 | Process Name: | Access Request Information: | Transaction ID: <redacted> | Accesses: SYNCHRONIZE | ReadAttributes | WriteAttributes | | Access Reasons: SYNCHRONIZE: Granted by <redacted> | ReadAttributes: Granted by <redacted> | WriteAttributes: Granted by <redacted> | | Access Mask: <redacted> | Privileges Used for Access Check: - | Restricted SID Count: 0","Category": "File System","Opcode": "Info","SubjectUserSid": "<redacted>","SubjectUserName": "<redacted>","SubjectDomainName": "<redacted>","SubjectLogonId": "<redacted>","ObjectServer": "Security","ObjectType": "File","ObjectName": "<redacted>","HandleId": "<redacted>","TransactionId": "<redacted>","AccessList": "<redacted>","AccessReason": "<redacted>","AccessMask": "<redacted>","RestrictedSidCount": "0","EventReceivedTime": 1698261347,"SourceModuleName": "eventlog","SourceModuleType": "<redacted>"}
As Kiwi Syslog Server user / customer, could you please create support ticket so we can track it + we will also need debug logs. Thanks
Done and thanks!
Hello,
was this issue solved? We are testing new Syslog NG 1.4.0.2 and we face to same issue.
Syslog message over UDP has more text (longer) then over TCP, but in both cases the message is not complete.
Is possible like in older Kiwi Syslog resize the maximum size from 1024 "Click File -> Setup -> Modifiers. Look for Maximum message length (bytes)."?
We face tthe same issue, events sended from Kiwi NG to MSSQL DB are truncated to 1204 chars even if database format allow more (4096).We found this documentation: https://documentation.solarwinds.com/en/success_center/kss/content/kssng_adminguide_db_file_formats_available.htmIs it possible to extend char count in export to MSSQL? We really do not want to get our windows logs truncated..
Update: - using UDP we are able to get 4096 chars (we do not tested more), even MSSQL export is capable 4096 chars. - TCP is limited to 1024 chars, we are pushing support to bump this in development
