splunk-connect-for-syslog
splunk-connect-for-syslog copied to clipboard
splunk
How to prevent : "Value names cannot be longer than 255 characters, this value will always expand to the empty string;"
Was the issue replicated by support? yes.
What is the sc4s version ? 2.48
Is there a pcap available? yes.
Is the issue related to the environment of the customer or Software related issue? it's related to syslog-ng/sc4s configuration
Describe the bug When I am sending a specific message to sc4s I get sort of an "error" more of an informational message logged from sc4s that
- - syslog-ng 158 - [meta sequenceId="43428"]Value names cannot be longer than 255 characters, this value will always expand to the empty string; value='.values.XXXXXXXXXXXXX'
the content that was replaced with XXXXXXXX is base64 encoded and ends with a = character in the original message.
how can i get rid of these error messages?
I am sure that some parser is used on this message and due to the value ending with a = sc4s is trying to use everything before it as a key and everything after as value.
I assume I simply need to add an app parser to stop this behaviour. Belows message is just an example, so this is a general question and independent of sourcetype/vendor_product. Splunk Support told me to open an issue here.
To Reproduce Steps to reproduce the behavior:
- send example message to sc4s
echo "<13>Nov 08 12:59:54 1.1.1.1 f5req_forward_clone[-]: F5-REQ-VERSION:v1:date_time='2023-11-08 13:59:54',clientip='1.2.2.2',host='[host.example.com](https://host.example.com/)' ,http_host='[host.example.com](https://host.example.com/)',http_responsecode='200',http_username='makemelongenoughtotriggerAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABASE64CONTENTendingwitha=',http_user-agent='PHP-SOAP-CURL',http_referer='',http_xff='3.3.3.3',http_request_id='',cached='false',virtualname='something',virtualip='4.4.4.4',virtualport='443',http_method='POST',http_path='/bla/blub.asmx',http_query='',http_version='HTTP/1.1',http_response_size='10092',http_response_time='32',nodeip='4.4.4.4',nodeport='443',snatpool='/Common/SNAT_Something_Pool',snatip='6.6.6.6',snatport='34470',pool='/Common/blub.app/blapool8',req_type='response'" | nc -u -w 0 {SC4S_IP} 514
Hello, @ehlo550 ! Thanks, for the issue. I reproduced this bug. It's very tricky bug and I will let you know about progress
Hello, @ehlo550 @xenogloss !
Sorry for delay! This error Value names cannot be longer than 255 characters, this value will always expand to the empty string; related with https://github.com/syslog-ng/syslog-ng . I already had direct conversation with syslog-ng author. I not sure that we can fix it very fast.
But I will think probably we can make workaround for this case
Hi @ehlo550, the error you're seeing is generated by syslog-ng and cannot be controlled at the SC4S level, especially since it's currently expected behavior for syslog-ng to check strings ending with equal signs as value names. We have opened a GitHub issue in the syslog-ng repository for this. As a quick workaround, you might consider filtering out syslog-ng errors related to the 255-character rule. You can find more details here: https://splunk.github.io/splunk-connect-for-syslog/main/sources/#filtering-events-from-output.
for example:
block parser sc4s_log-postfiler() {
channel {
rewrite(r_set_dest_splunk_null_queue);
};
};
application sc4s_log-postfiler[sc4s-postfilter] {
filter {
"${fields.sc4s_vendor}" eq "splunk" and
"${fields.sc4s_product}" eq "sc4s"
and message('Value names cannot be longer than 255 characters');
};
parser { sc4s_log-postfiler(); };
};
