syslog, IHE and message sizes…

back to our regular programming… ;) The IHE initiative uses syslog for auditing. Unfortunately, though, their framework specifies audit records way in access of syslogs’s normal 1024 byte message size. Some IHE messages can grow as large as 32K, few stay within the 1024 byte limit. The bad thing is that most Unix syslogds will truncate the message at 1024 bytes, effectively loosing audit data. Under Windows, it’s less of a problem, as most Windows syslog servers accept “oversize” messages.

So I thought I’ll cure this under Linux and include the capability for larger size messages in rsyslog. I fired up the development machine to get a first glimpse of what to do. Well, it figured out that all I need to do is change the MAXLINE #define – and that’s it. Isn’t that funny? I am now fiddling with the source for some month, have even applied some considerate changes … but never noticed this simple thing. Dumb me ;) Anyhow, I’ll change the default to 32K with the next version I will release, so the IHE folks will hopefully be happy…

Tags: ,