Syslog notification is setup, however at times there are no messages send.
If the IncidentPersister*.log the following error is referenced
Aug 4, 2010 12:34:59 PM (SEVERE) Thread: 16 [com.vontu.command.CommandRuntime.executeCommands] Error executing command: syslog com.vontu.command.CommandException: Unable to write to syslog: host=10.112.60.12, port=514 at com.vontu.incidenthandler.command.enforce.SyslogLogger.execute(SyslogLogger.java:128) at com.vontu.command.CommandRuntime.executeCommands(CommandRuntime.java:763) at com.vontu.command.CommandRuntime.access$900(CommandRuntime.java:64) at com.vontu.command.CommandRuntime$CommandExecutor.run(CommandRuntime.java:1281) at edu.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:728) at java.lang.Thread.run(Unknown Source) Caused by: com.vontu.util.syslog.SyslogException: Syslog message to large: size: 2670 MAX_MESSAGE_SIZE: 1460 at com.vontu.util.syslog.SyslogMessage.makeBytes(SyslogMessage.java:142) at com.vontu.util.syslog.SyslogMessage.<init>(SyslogMessage.java:25) [...]
Note: In versions prior to V10 this may be within the manager log.
Based on RFC 3195 & 3164 it is specified that BSD & RAW messages can't be longer than 1024 characters. Otherwise, the syslog servers & relays ignore the end of the message. It is to note that these RFCs are not fixed standards, but widely implemented.
In this case, we fail when the message exceeds by far the guideline limit of 1024 and as a result you will see the error. Please keep in mind that syslog servers are designed to store system events and small notifications as a (short) text, they are not designed for large contextual data or as a remediation system. The current remediation systems take these short texts and context information to trigger workflow and store additional data within additional databases.
The underlying reason may be the usage of custom attributes that can as a result create messages far larger than 1024 characters, since the standard email notification is not bound to any limit.
As a best practice you would want to create Syslog notifications without custom attributes or fixed content, such as incident ID or violator as reference. If the remediator or whoever consumes the syslog entry requires more in-depth details they can log into the Vontu UI. Alternatively, the incident ID from the syslog notification can be used to access the incident directly through the use of the Reporting API to access and store the incident data into a secondary remediation system.
Another approach is to trigger via email notification a workflow. Some customers then extract the contextual information including all custom attributes for the email and store it within a secondary remediation system.
This is a limitation of the Syslog libraries used. The current limit in the product is set to a maximum length of 1460 characters.
Imported Document ID: TECH221783
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe