[rsyslog] Help requested: UDP max message size?
Rainer Gerhards
rgerhards at hq.adiscon.com
Tue Sep 8 21:24:04 CEST 2009
> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com
> [mailto:rsyslog-bounces at lists.adiscon.com] On Behalf Of david at lang.hm
> Sent: Tuesday, September 08, 2009 8:42 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Help requested: UDP max message size?
>
> On Tue, 8 Sep 2009, Rainer Gerhards wrote:
>
> > Was there an non-rsyslog relay in the relay chain? If not,
> it points to the rsyslog forwarding module doing the
> truncation (what recent v3+ i think should not do...)
>
> yes, as far as I know the none of the senders are rsyslog yet.
Well, from what I see in the tcpdump logs, the initial sender is rsyslog and
the messages originated from imklog. I can point you to the entries in
question, but I don't have logs with me now.
Rainer
>
> I am working from the central server out.
>
> the central server is rsyslog with no problems
>
> all but this one relay box are rsyslog
>
> things sending to these relay boxes are whatever syslog
> sender was on the
> OS/appliance (there may be some acting as relays as well as
> sending for
> themselves)
>
> David Lang
>
> > rainer
> >
> > ----- Urspr?ngliche Nachricht -----
> > Von: "david at lang.hm" <david at lang.hm>
> > An: "rsyslog-users" <rsyslog at lists.adiscon.com>
> > Gesendet: 08.09.09 19:55
> > Betreff: Re: [rsyslog] Help requested: UDP max message size?
> >
> > On Tue, 8 Sep 2009, Rainer Gerhards wrote:
> >
> >> oh my... Please disregard this question. I was working on
> a tcpdump file, and
> >> the message length actually *is* 1024 bytes. I was
> confused by Wireshark's
> >> (correct!) indication that the frame is 1066 octets in
> length. Of course,
> >> this is correct, if you take the 42 octets of UDP header
> into account...
> >>
> >> I guess the dump file was created with a max of 1K...
> >
> > the dump file was set -s 0 (up to 64k packet size), but
> many/most syslog
> > senders will limit their outbound data to 1k
> >
> > David Lang
> >
> >> Sometimes it is sooo easy ... and yet so hard to see ;)
> >>
> >> Sorry for the interruption,
> >> Rainer
> >>
> >>> -----Original Message-----
> >>> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> >>> bounces at lists.adiscon.com] On Behalf Of Rainer Gerhards
> >>> Sent: Tuesday, September 08, 2009 1:23 PM
> >>> To: rsyslog at lists.adiscon.com
> >>> Subject: [rsyslog] Help requested: UDP max message size?
> >>>
> >>> Hi all,
> >>>
> >>> I am really banging my head on a problem which sounds too
> easy. I have
> >>> seen that my systems (and some others as well), seem to
> not provide
> >>> more
> >>> than 1024 bytes on a recvfrom() call. With wireshark, I
> see that the
> >>> system itself, at the IP layer, receives more data. I am
> a bit puzzled,
> >>> to phrase it lightly. I did not find any information on such a
> >>> limitation.
> >>>
> >>> I have created a strip-down version of a receiver, even
> built it on top
> >>> of the Linux man pages samples. Out of desperation, I even set the
> >>> receivebuf size, which I think has no effect on datagram sockets.
> >>> Still... I only get 1024 bytes. Code is after my sig.
> >>>
> >>> Does anybody have an idea what is going on OR a good
> place where to ask
> >>> this question?
> >>>
> >>> Thanks,
> >>> Rainer
> >>>
> >>> #include <sys/types.h>
> >>> #include <stdio.h>
> >>> #include <stdlib.h>
> >>> #include <unistd.h>
> >>> #include <string.h>
> >>> #include <sys/socket.h>
> >>> #include <netdb.h>
> >>>
> >>> #define BUF_SIZE 2048
> >>>
> >>> int
> >>> main(int argc, char *argv[])
> >>> {
> >>> struct addrinfo hints;
> >>> struct addrinfo *result, *rp;
> >>> int sfd, s;
> >>> struct sockaddr_storage peer_addr;
> >>> socklen_t peer_addr_len;
> >>> ssize_t nread;
> >>> char buf[BUF_SIZE];
> >>>
> >>> if (argc != 2) {
> >>> fprintf(stderr, "Usage: %s port\n", argv[0]);
> >>> exit(EXIT_FAILURE);
> >>> }
> >>>
> >>> memset(&hints, 0, sizeof(struct addrinfo));
> >>> hints.ai_family = AF_UNSPEC; /* Allow IPv4
> or IPv6 */
> >>> hints.ai_socktype = SOCK_DGRAM; /* Datagram socket */
> >>> hints.ai_flags = AI_PASSIVE; /* For
> wildcard IP address
> >>> */
> >>> hints.ai_protocol = 0; /* Any protocol */
> >>> hints.ai_canonname = NULL;
> >>> hints.ai_addr = NULL;
> >>> hints.ai_next = NULL;
> >>>
> >>> s = getaddrinfo(NULL, argv[1], &hints, &result);
> >>> if (s != 0) {
> >>> fprintf(stderr, "getaddrinfo: %s\n",
> gai_strerror(s));
> >>> exit(EXIT_FAILURE);
> >>> }
> >>>
> >>> /* getaddrinfo() returns a list of address structures.
> >>> Try each address until we successfully bind(2).
> >>> If socket(2) (or bind(2)) fails, we (close
> the socket
> >>> and) try the next address. */
> >>>
> >>> for (rp = result; rp != NULL; rp = rp->ai_next) {
> >>> sfd = socket(rp->ai_family, rp->ai_socktype,
> >>> rp->ai_protocol);
> >>> if (sfd == -1)
> >>> continue;
> >>>
> >>>
> >>> int result2;
> >>> int bufSize = 2048;
> >>> result2 = setsockopt(sfd, SOL_SOCKET, SO_RCVBUF, &bufSize,
> >>> sizeof(bufSize));
> >>> printf("result of setsockopt: %d\n", result2);
> >>>
> >>> if (bind(sfd, rp->ai_addr, rp->ai_addrlen) == 0)
> >>> break; /* Success */
> >>>
> >>> close(sfd);
> >>> }
> >>>
> >>> if (rp == NULL) { /* No address
> succeeded */
> >>> fprintf(stderr, "Could not bind\n");
> >>> exit(EXIT_FAILURE);
> >>> }
> >>>
> >>> freeaddrinfo(result); /* No longer needed */
> >>>
> >>> /* Read datagrams and echo them back to sender */
> >>> for (;;) {
> >>> peer_addr_len = sizeof(struct sockaddr_storage);
> >>> memset(buf, 0, BUF_SIZE);
> >>> nread = recvfrom(sfd, buf, BUF_SIZE, 0,
> >>> (struct sockaddr *) &peer_addr,
> &peer_addr_len);
> >>> if(nread > 1024)
> >>> printf("NREAD > 1024!");
> >>> if (nread == -1)
> >>> continue; /* Ignore
> failed request */
> >>>
> >>> char host[NI_MAXHOST], service[NI_MAXSERV];
> >>>
> >>> s = getnameinfo((struct sockaddr *) &peer_addr,
> >>> peer_addr_len, host, NI_MAXHOST,
> >>> service, NI_MAXSERV,
> NI_NUMERICSERV);
> >>> if (s == 0)
> >>> printf("Received %ld bytes from %s:%s,
> msg:'%s'\n",
> >>> (long) nread, host, service, buf);
> >>> else
> >>> fprintf(stderr, "getnameinfo: %s\n",
> >>> gai_strerror(s));
> >>> }
> >>> }
> >>>
> >>>
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com
> >>
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
More information about the rsyslog
mailing list