> -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of [email protected] > Sent: Tuesday, September 08, 2009 8:42 PM > To: rsyslog-users > Subject: Re: [rsyslog] Help requested: UDP max message size? > > On Tue, 8 Sep 2009, Rainer Gerhards wrote: > > > Was there an non-rsyslog relay in the relay chain? If not, > it points to the rsyslog forwarding module doing the > truncation (what recent v3+ i think should not do...) > > yes, as far as I know the none of the senders are rsyslog yet.
Well, from what I see in the tcpdump logs, the initial sender is rsyslog and the messages originated from imklog. I can point you to the entries in question, but I don't have logs with me now. Rainer > > I am working from the central server out. > > the central server is rsyslog with no problems > > all but this one relay box are rsyslog > > things sending to these relay boxes are whatever syslog > sender was on the > OS/appliance (there may be some acting as relays as well as > sending for > themselves) > > David Lang > > > rainer > > > > ----- Urspr?ngliche Nachricht ----- > > Von: "[email protected]" <[email protected]> > > An: "rsyslog-users" <[email protected]> > > Gesendet: 08.09.09 19:55 > > Betreff: Re: [rsyslog] Help requested: UDP max message size? > > > > On Tue, 8 Sep 2009, Rainer Gerhards wrote: > > > >> oh my... Please disregard this question. I was working on > a tcpdump file, and > >> the message length actually *is* 1024 bytes. I was > confused by Wireshark's > >> (correct!) indication that the frame is 1066 octets in > length. Of course, > >> this is correct, if you take the 42 octets of UDP header > into account... > >> > >> I guess the dump file was created with a max of 1K... > > > > the dump file was set -s 0 (up to 64k packet size), but > many/most syslog > > senders will limit their outbound data to 1k > > > > David Lang > > > >> Sometimes it is sooo easy ... and yet so hard to see ;) > >> > >> Sorry for the interruption, > >> Rainer > >> > >>> -----Original Message----- > >>> From: [email protected] [mailto:rsyslog- > >>> [email protected]] On Behalf Of Rainer Gerhards > >>> Sent: Tuesday, September 08, 2009 1:23 PM > >>> To: [email protected] > >>> Subject: [rsyslog] Help requested: UDP max message size? > >>> > >>> Hi all, > >>> > >>> I am really banging my head on a problem which sounds too > easy. I have > >>> seen that my systems (and some others as well), seem to > not provide > >>> more > >>> than 1024 bytes on a recvfrom() call. With wireshark, I > see that the > >>> system itself, at the IP layer, receives more data. I am > a bit puzzled, > >>> to phrase it lightly. I did not find any information on such a > >>> limitation. > >>> > >>> I have created a strip-down version of a receiver, even > built it on top > >>> of the Linux man pages samples. Out of desperation, I even set the > >>> receivebuf size, which I think has no effect on datagram sockets. > >>> Still... I only get 1024 bytes. Code is after my sig. > >>> > >>> Does anybody have an idea what is going on OR a good > place where to ask > >>> this question? > >>> > >>> Thanks, > >>> Rainer > >>> > >>> #include <sys/types.h> > >>> #include <stdio.h> > >>> #include <stdlib.h> > >>> #include <unistd.h> > >>> #include <string.h> > >>> #include <sys/socket.h> > >>> #include <netdb.h> > >>> > >>> #define BUF_SIZE 2048 > >>> > >>> int > >>> main(int argc, char *argv[]) > >>> { > >>> struct addrinfo hints; > >>> struct addrinfo *result, *rp; > >>> int sfd, s; > >>> struct sockaddr_storage peer_addr; > >>> socklen_t peer_addr_len; > >>> ssize_t nread; > >>> char buf[BUF_SIZE]; > >>> > >>> if (argc != 2) { > >>> fprintf(stderr, "Usage: %s port\n", argv[0]); > >>> exit(EXIT_FAILURE); > >>> } > >>> > >>> memset(&hints, 0, sizeof(struct addrinfo)); > >>> hints.ai_family = AF_UNSPEC; /* Allow IPv4 > or IPv6 */ > >>> hints.ai_socktype = SOCK_DGRAM; /* Datagram socket */ > >>> hints.ai_flags = AI_PASSIVE; /* For > wildcard IP address > >>> */ > >>> hints.ai_protocol = 0; /* Any protocol */ > >>> hints.ai_canonname = NULL; > >>> hints.ai_addr = NULL; > >>> hints.ai_next = NULL; > >>> > >>> s = getaddrinfo(NULL, argv[1], &hints, &result); > >>> if (s != 0) { > >>> fprintf(stderr, "getaddrinfo: %s\n", > gai_strerror(s)); > >>> exit(EXIT_FAILURE); > >>> } > >>> > >>> /* getaddrinfo() returns a list of address structures. > >>> Try each address until we successfully bind(2). > >>> If socket(2) (or bind(2)) fails, we (close > the socket > >>> and) try the next address. */ > >>> > >>> for (rp = result; rp != NULL; rp = rp->ai_next) { > >>> sfd = socket(rp->ai_family, rp->ai_socktype, > >>> rp->ai_protocol); > >>> if (sfd == -1) > >>> continue; > >>> > >>> > >>> int result2; > >>> int bufSize = 2048; > >>> result2 = setsockopt(sfd, SOL_SOCKET, SO_RCVBUF, &bufSize, > >>> sizeof(bufSize)); > >>> printf("result of setsockopt: %d\n", result2); > >>> > >>> if (bind(sfd, rp->ai_addr, rp->ai_addrlen) == 0) > >>> break; /* Success */ > >>> > >>> close(sfd); > >>> } > >>> > >>> if (rp == NULL) { /* No address > succeeded */ > >>> fprintf(stderr, "Could not bind\n"); > >>> exit(EXIT_FAILURE); > >>> } > >>> > >>> freeaddrinfo(result); /* No longer needed */ > >>> > >>> /* Read datagrams and echo them back to sender */ > >>> for (;;) { > >>> peer_addr_len = sizeof(struct sockaddr_storage); > >>> memset(buf, 0, BUF_SIZE); > >>> nread = recvfrom(sfd, buf, BUF_SIZE, 0, > >>> (struct sockaddr *) &peer_addr, > &peer_addr_len); > >>> if(nread > 1024) > >>> printf("NREAD > 1024!"); > >>> if (nread == -1) > >>> continue; /* Ignore > failed request */ > >>> > >>> char host[NI_MAXHOST], service[NI_MAXSERV]; > >>> > >>> s = getnameinfo((struct sockaddr *) &peer_addr, > >>> peer_addr_len, host, NI_MAXHOST, > >>> service, NI_MAXSERV, > NI_NUMERICSERV); > >>> if (s == 0) > >>> printf("Received %ld bytes from %s:%s, > msg:'%s'\n", > >>> (long) nread, host, service, buf); > >>> else > >>> fprintf(stderr, "getnameinfo: %s\n", > >>> gai_strerror(s)); > >>> } > >>> } > >>> > >>> > >>> _______________________________________________ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com > >> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com > >> > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
