On Tue, 8 Sep 2009, Rainer Gerhards wrote: > Was there an non-rsyslog relay in the relay chain? If not, it points to the > rsyslog forwarding module doing the truncation (what recent v3+ i think > should not do...)
yes, as far as I know the none of the senders are rsyslog yet. I am working from the central server out. the central server is rsyslog with no problems all but this one relay box are rsyslog things sending to these relay boxes are whatever syslog sender was on the OS/appliance (there may be some acting as relays as well as sending for themselves) David Lang > rainer > > ----- Urspr?ngliche Nachricht ----- > Von: "[email protected]" <[email protected]> > An: "rsyslog-users" <[email protected]> > Gesendet: 08.09.09 19:55 > Betreff: Re: [rsyslog] Help requested: UDP max message size? > > On Tue, 8 Sep 2009, Rainer Gerhards wrote: > >> oh my... Please disregard this question. I was working on a tcpdump file, and >> the message length actually *is* 1024 bytes. I was confused by Wireshark's >> (correct!) indication that the frame is 1066 octets in length. Of course, >> this is correct, if you take the 42 octets of UDP header into account... >> >> I guess the dump file was created with a max of 1K... > > the dump file was set -s 0 (up to 64k packet size), but many/most syslog > senders will limit their outbound data to 1k > > David Lang > >> Sometimes it is sooo easy ... and yet so hard to see ;) >> >> Sorry for the interruption, >> Rainer >> >>> -----Original Message----- >>> From: [email protected] [mailto:rsyslog- >>> [email protected]] On Behalf Of Rainer Gerhards >>> Sent: Tuesday, September 08, 2009 1:23 PM >>> To: [email protected] >>> Subject: [rsyslog] Help requested: UDP max message size? >>> >>> Hi all, >>> >>> I am really banging my head on a problem which sounds too easy. I have >>> seen that my systems (and some others as well), seem to not provide >>> more >>> than 1024 bytes on a recvfrom() call. With wireshark, I see that the >>> system itself, at the IP layer, receives more data. I am a bit puzzled, >>> to phrase it lightly. I did not find any information on such a >>> limitation. >>> >>> I have created a strip-down version of a receiver, even built it on top >>> of the Linux man pages samples. Out of desperation, I even set the >>> receivebuf size, which I think has no effect on datagram sockets. >>> Still... I only get 1024 bytes. Code is after my sig. >>> >>> Does anybody have an idea what is going on OR a good place where to ask >>> this question? >>> >>> Thanks, >>> Rainer >>> >>> #include <sys/types.h> >>> #include <stdio.h> >>> #include <stdlib.h> >>> #include <unistd.h> >>> #include <string.h> >>> #include <sys/socket.h> >>> #include <netdb.h> >>> >>> #define BUF_SIZE 2048 >>> >>> int >>> main(int argc, char *argv[]) >>> { >>> struct addrinfo hints; >>> struct addrinfo *result, *rp; >>> int sfd, s; >>> struct sockaddr_storage peer_addr; >>> socklen_t peer_addr_len; >>> ssize_t nread; >>> char buf[BUF_SIZE]; >>> >>> if (argc != 2) { >>> fprintf(stderr, "Usage: %s port\n", argv[0]); >>> exit(EXIT_FAILURE); >>> } >>> >>> memset(&hints, 0, sizeof(struct addrinfo)); >>> hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */ >>> hints.ai_socktype = SOCK_DGRAM; /* Datagram socket */ >>> hints.ai_flags = AI_PASSIVE; /* For wildcard IP address >>> */ >>> hints.ai_protocol = 0; /* Any protocol */ >>> hints.ai_canonname = NULL; >>> hints.ai_addr = NULL; >>> hints.ai_next = NULL; >>> >>> s = getaddrinfo(NULL, argv[1], &hints, &result); >>> if (s != 0) { >>> fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(s)); >>> exit(EXIT_FAILURE); >>> } >>> >>> /* getaddrinfo() returns a list of address structures. >>> Try each address until we successfully bind(2). >>> If socket(2) (or bind(2)) fails, we (close the socket >>> and) try the next address. */ >>> >>> for (rp = result; rp != NULL; rp = rp->ai_next) { >>> sfd = socket(rp->ai_family, rp->ai_socktype, >>> rp->ai_protocol); >>> if (sfd == -1) >>> continue; >>> >>> >>> int result2; >>> int bufSize = 2048; >>> result2 = setsockopt(sfd, SOL_SOCKET, SO_RCVBUF, &bufSize, >>> sizeof(bufSize)); >>> printf("result of setsockopt: %d\n", result2); >>> >>> if (bind(sfd, rp->ai_addr, rp->ai_addrlen) == 0) >>> break; /* Success */ >>> >>> close(sfd); >>> } >>> >>> if (rp == NULL) { /* No address succeeded */ >>> fprintf(stderr, "Could not bind\n"); >>> exit(EXIT_FAILURE); >>> } >>> >>> freeaddrinfo(result); /* No longer needed */ >>> >>> /* Read datagrams and echo them back to sender */ >>> for (;;) { >>> peer_addr_len = sizeof(struct sockaddr_storage); >>> memset(buf, 0, BUF_SIZE); >>> nread = recvfrom(sfd, buf, BUF_SIZE, 0, >>> (struct sockaddr *) &peer_addr, &peer_addr_len); >>> if(nread > 1024) >>> printf("NREAD > 1024!"); >>> if (nread == -1) >>> continue; /* Ignore failed request */ >>> >>> char host[NI_MAXHOST], service[NI_MAXSERV]; >>> >>> s = getnameinfo((struct sockaddr *) &peer_addr, >>> peer_addr_len, host, NI_MAXHOST, >>> service, NI_MAXSERV, NI_NUMERICSERV); >>> if (s == 0) >>> printf("Received %ld bytes from %s:%s, msg:'%s'\n", >>> (long) nread, host, service, buf); >>> else >>> fprintf(stderr, "getnameinfo: %s\n", >>> gai_strerror(s)); >>> } >>> } >>> >>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
