remote_syslog_logger icon indicating copy to clipboard operation
remote_syslog_logger copied to clipboard

Published 20 hours ago verified publisher icon papertrail

Obey Syslog size limits

Open jscheid opened this issue 10 years ago • 3 comments

  • Ensure default tag is max 32 characters long
  • Split long lines into chunks so they aren't truncated by Syslog max message size

jscheid avatar Dec 19 '14 12:12 jscheid

Hi, I don't know if you've seen it but there is some more information in the commit messages.

In retrospect, this should probably keep the default behaviour of no chunking for backwards compatibility. I'm happy to make that change if you agree.

Do you have any other concerns?

jscheid avatar Sep 03 '15 01:09 jscheid

@jscheid for context, can you add the back story which led you to want this? That is, what led you to say "Hey this should be added and is worth my time to write"?

troy avatar Sep 03 '15 15:09 troy

@troy, Sure!

So we're running remote_syslog_logger in a PCI-DSS v3 compliant environment. PCI-DSS requires a full audit trail and we're taking it seriously, therefore truncated or dropped log records are simply not good enough. (If you're curious, yes we're logging via TCP not UDP.)

Of course, most of our log records are, like everybody else's, much shorter than our server limits, but every now and then we're logging something biggish (say, an email body or a public key or something) and it's good to have it in its entirety.

Of course we can always increase server-side limits, but we can't make them infinite and so we could never be quite sure that all data will make it. Chopping records into chunks is a nice and easy way to work around this problem.

That story being told, I can't imagine many people outside of the requirements of PCI compliance saying "oh, it's ok that this long log record didn't make it, it probably wasn't that important anyway". I'd wager that when people ask their systems to log something, they expect it to be logged in its entirety.

(We could wrap your code in some custom pre-processor of course, but I felt like your project -- being a convenience wrapper around syslog_protocol, so to speak -- was a good home for it.)

Regarding the 32-character limit for the tag, it's pretty straightforward. If I remember correctly, just make a script called this_is_a_very_long_filename.rb and have it log a line. That should trigger an exception in https://github.com/eric/syslog_protocol/blob/001000ffe27a4557c3ec312b9c3c50385e6a923b/lib/syslog_protocol/packet.rb#L49

Hopefully this explains our motivation better, and I hope this change can benefit your other users as well.

(PS we've been using this patch in production for eight months or so now.)

jscheid avatar Sep 03 '15 20:09 jscheid