Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you increase maximum UDP log size?

abori
Engager
‎01-31-2013 04:40 PM

We are experiencing a complete loss of the log message if it's over approx. 1400 characters. The message doesn't show up in search results for that given endpoint.

I've tried the suggestions here and here. Neither of them worked for me.

We are using log4net with the following configuration:

  <log4net>
    <appender name="SplunkAppender" type="log4net.Appender.UdpAppender">
      <remoteAddress value="splunk.myserver.com" />
      <remotePort value="2221" />
      <layout type="log4net.Layout.PatternLayout">
        <ConversionPattern value="%utcdate log_level=%level url=%property{URL} referrer=%property{HttpReferer} agent=%property{UserAgent} %n desc=&quot;%message&quot;" />
      </layout>
    </appender>
    <root>
      <level value="INFO" />
      <appender-ref ref="SplunkAppender" />
    </root>
  </log4net>
Tags (2)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-31-2013 05:49 PM

It's mostly like a problem with either the log4net UdpAppender, or with your network.

A UDP syslog message by protocol definition can not be over 1024 bytes, though this is often ignored. However, is physically must fit into a single UDP packet. A UDP packet can be over 1400 bytes, but this number is suspiciously close to the Ethernet MTU of 1500 bytes, minus overhead. Probably something in either your software, stack, or network is disallowing the transmission of UDP packets larger than the Ethernet MTU, or something is failing to fragment the UDP packet to fit into the MTU. This is a pretty low-level problem that you'd probably have to talk to network admins about.

You can test first simply using "ping -s" using varying packet sizes to see if you can ping with more than 1500 bytes. (You probably can't.) You can also ascertain whether it's a Splunk problem by using nc or ncat on the Splunk server and sending your UDP messages to that program, and seeing if they arrive.

Reply

abori
Engager
‎01-31-2013 09:36 PM

After running wireshark on the client and server, we found that the messages were being truncated to fit in one UDP packet (max 1452 bytes). Even though the server was receiving the truncated message, it was not showing up in the Splunk logs. We don't mind truncated messages. We mind dropped messages. Any ideas?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...