33

It seems Syslog has a 1KB message limit. Is this hardcoded into the Syslog protocol, or is this a parameter that can be set for each server?

I am hoping the article I read was out of date, so if you have any info please share.

the Tin Man
  • 158,662
  • 42
  • 215
  • 303
JL.
  • 78,954
  • 126
  • 311
  • 459
  • 5
    To be fair, a 1KB message is a rather large system message. – outis Jan 06 '10 at 09:51
  • 4
    If you're using rsyslog, you can set: $MaxMessageSize to be whatever you want in rsyslog.d. – Atomox Jul 29 '14 at 16:34
  • Syslog is quite slow and is intended to be read by a human. So every message longer than 80 bytes is already too long. Take a look at Twitter to learn how to be less verbose. And if you have more information to store, write it into a file and not to Syslog. I generate exceptions in this way: create a UUID for the exception, Write the UUID to Syslog and pretty print the exception into a file with the UUID as a name. This has the additional advantage, that confidential debugging information will not leave the system via Syslog. The data beyond 80 chars is typically not appropriate for Syslog. – ceving Nov 28 '14 at 13:50

3 Answers3

32

This is correct, as can be seen in the syslog protocol RFC. This, and other deficiencies in the syslog protocol, is the reason why modern syslog daemons such as rsyslog support enhanced protocols with features such as TCP transport, encryption etc. There was also some effort within the IETF to standardize an improved syslog protocol, which resulted in RFC5424, RFC5425, and RFC 5426. Here, the minimum maximum message size is relatively small (depending on the transport layer), however implementations are allowed to support larger messages as well.

Community
  • 1
  • 1
janneb
  • 36,249
  • 2
  • 81
  • 97
  • according to rfc5424 the payload size limits is about 64k, the 1k limitation is caused by the pratical problem , MTU for eg – jyf1987 Feb 04 '17 at 09:48
6

From my reading of the syslog protocol spec (well, draft standard), message packets can't be more than 1KiB, but (using a fragmentation feature) messages can be. RFC 5424, however, says message size depends on transport, but is at least 480 octets.

Community
  • 1
  • 1
outis
  • 75,655
  • 22
  • 151
  • 221
2

Yes, but you can increase this limit to an arbitrary length by recompiling from source.

See instructions in this blog post I found about truncated syslog messages: http://bsdpants.blogspot.com/2010/08/truncated-syslog-messages.html

anandvc
  • 82
  • 7
  • Question is why this limit was important at the first place. By increasing the limit to an arbitrary length will only be a short time solution. – Akash Jun 08 '18 at 06:10