rsyslog truncate message also with $MaxMessageSize
I stumbled on the same problem yesterday and after some digging, I found the reason.
I'll make it short : the libc
lib used on alpine is the musl libc
(https://www.musl-libc.org/). If you check their implementation of the syslog
function (https://git.musl-libc.org/cgit/musl/tree/src/misc/syslog.c#n87), you can see that the length of the variable buf
that represent the message is hardcoded to 1024.
One solution is to connect and send the message (implementing the syslog RFC) to the /dev/log
socket yourself. It works well.
Another one might be to use glibc
on alpine lib but I do not know if it's actually possible.
Related videos on Youtube
hellb0y77
Updated on September 18, 2022Comments
-
hellb0y77 over 1 year
I have an official alpine container with rsyslog installed, my
/etc/rsyslog.conf
is:$MaxMessageSize 64k $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support $KLogPermitNonKernelFacility on $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 *.*;auth,authpriv.none -/var/log/syslog
I run rsyslog with
rsyslogd -f /etc/rsyslog.conf
, it seems that$MaxMessageSize
is 1k instead than 64k Where am I wrong?UPDATE
I have try within ubuntu container and work perfectly, it seems that alpine is the problem, into ubuntu rsyslog is version 7.4.4, into alpine 8.18.0
UPDATE 2
I have tried also with syslog-ng and have same result, max size 1k, maybe is a limit of alpine docker container?
-
Rohit Nagpal over 6 yearsYou will have to set the MaxMessageSize parameter on both the client(sender) as well as the server(receiver). This is the mistake which i was making when i faced a similar issue. Worked for me when i set it on the client as well.
-
hellb0y77 over 6 yearsNo client exists, into /var/log/syslog i put logs of php application, then i get with filebeat/logstash for elk logging. I use the official php-fpm-alpine container
-