https://community.splunk.com/t5/Getting-Data-In/output-syslog-blocked-at-1000-characters/m-p/490217#M83789 <P>I agree with @richgalloway , but according to the syslog-ng documentation the message size is limited to 64kb for SDATA and 256mb for IETF<BR /> <A href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/option-description-log-msg-size">https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/option-description-log-msg-size</A></P> Tue, 10 Mar 2020 17:32:22 GMT mydog8it 2020-03-10T17:32:22Z https://community.splunk.com/t5/Getting-Data-In/output-syslog-blocked-at-1000-characters/m-p/490215#M83787 <P>Hi,</P> <P>I want tu use syslog-ng to send windows logs from a heavy forwarder to an indexer. But I got a problem, the message is truncated to the first 1kb of data (due to the RFC). Do I have any solution to send my message through syslog without being truncated?</P> <P>Thanks in advance.</P> Tue, 10 Mar 2020 16:15:02 GMT https://community.splunk.com/t5/Getting-Data-In/output-syslog-blocked-at-1000-characters/m-p/490215#M83787 paulquinonero 2020-03-10T16:15:02Z https://community.splunk.com/t5/Getting-Data-In/output-syslog-blocked-at-1000-characters/m-p/490216#M83788 <P>If the HF is running on a Windows box then there is no need for syslog. Forwarders support Windows logs and can send them directly to indexers without an intermediate service.</P> Tue, 10 Mar 2020 16:40:08 GMT https://community.splunk.com/t5/Getting-Data-In/output-syslog-blocked-at-1000-characters/m-p/490216#M83788 richgalloway 2020-03-10T16:40:08Z https://community.splunk.com/t5/Getting-Data-In/output-syslog-blocked-at-1000-characters/m-p/490217#M83789 <P>I agree with @richgalloway , but according to the syslog-ng documentation the message size is limited to 64kb for SDATA and 256mb for IETF<BR /> <A href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/option-description-log-msg-size">https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/option-description-log-msg-size</A></P> Tue, 10 Mar 2020 17:32:22 GMT https://community.splunk.com/t5/Getting-Data-In/output-syslog-blocked-at-1000-characters/m-p/490217#M83789 mydog8it 2020-03-10T17:32:22Z https://community.splunk.com/t5/Getting-Data-In/output-syslog-blocked-at-1000-characters/m-p/490218#M83790 <P>I know, but I need to use syslog due to constraints imposed by my compagny. But I finaly find what I need, the maxEventSize option.</P> Wed, 11 Mar 2020 08:10:36 GMT https://community.splunk.com/t5/Getting-Data-In/output-syslog-blocked-at-1000-characters/m-p/490218#M83790 paulquinonero 2020-03-11T08:10:36Z https://community.splunk.com/t5/Getting-Data-In/output-syslog-blocked-at-1000-characters/m-p/490219#M83791 <P>The limitation is due to splunk configuration, not syslog-ng, but with the maxEventSize options I fix the problem, thanks!</P> Wed, 11 Mar 2020 08:11:33 GMT https://community.splunk.com/t5/Getting-Data-In/output-syslog-blocked-at-1000-characters/m-p/490219#M83791 paulquinonero 2020-03-11T08:11:33Z