Output syslog : limited output size?

Elastic Stack Logstash
1

Hello !

I have one kafka input to grab winlogbeat logs.
Regarding output, I have one elasticsearch output and one syslog output :

output {
syslog {
host => "1.2.3.4"
port => 777
protocol => "tcp"
codec => json
}
}

Using tcpdump on the syslog destination, I noticed that forwarded log is not complete :

17:11:41.570168 IP logstash.47428 > collector.multiling-http: Flags [.], seq 84427:85875, ack 1, win 229, options [nop,nop,TS val 1850305140 ecr 1155194388], length 1448
E@..i.@.@.Wd.........D. ..s=.{.......&.....
nIjtD...{"winlog":{"computer_name":"windows","provider_guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","opcode":"Info","event_data":{"SubjectUserSid":"S-1-0-0","SubjectDomainName":"-","TransmittedServices":"-","TargetUserSid":"S-1-0-0","LmPackageName":"-","TargetUserName":"TEST","TargetDomainName":"LOCAL","Status":"0xc000006d","AuthenticationPackageName":"NTLM","SubjectUserName":"-","LogonType":"3","LogonProcessName":"NtLmSsp ","FailureReason":"%%2313","SubjectLogonId":"0x0","SubStatus":"0xc000006a","KeyLength":"0"},"provider_name":"Microsoft-Windows-Security-Auditing","process":{"thread":{"id":3868},"pid":740},"keywords":["Audit Failure"],"channel":"Security","record_id":131161,"activity_id":"{5749BBB2-0FFD-0000-D6BB-4957FD0FD701}","event_id":4625,"task":"Logon","api":"wineventlog","logon":{"type":"Network","id":"0x0","failure":{"sub_status":"User logon with misspelled or bad password","status":"This is either due to a bad username or authentication information","reason":"Unknown user name or bad password."}}},"source":{"domain":"LOCAL","ip":"1.2.3.4","port":0},"event":{"type":"start","module":"security","kind":"event","action":"logon-failed","created":"2021-03-11T17:11:29.447Z","provider":"Microsoft-Windows-Security-Auditing","outcome":"failure","category":"authentication","code":4625},"ecs":{"version":"1.5.0"},"related":{"user":"TEST"},"@version":"1","agent":{"type":"winlogbeat","id":"7f................

As you can see, there is multiples dots at the end. And I know that the log is not complete as I can see it complete in Elasticsearch

So I'm asking if there is a limited size in the syslog output or maybe issue is elsewhere ?

Thanks for your help !

2

My bad...This is tcpdump output who was limited.

I ran a netcat to write to a file and I can see log is complete. Sorry for the noise... :wink:

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.