I use Snare.
Snare for Windows is a Windows NT, Windows 2000, Windows XP, and Windows 2003 compatible service that interacts with the underlying Windows Eventlog subsystem to facilitate remote, real-time transfer of event log information. Snare for Windows also support 64 bit versions of Windows (X64 and IA64).
Snare for Windows Vista is a Windows 2008, Vista and Windows 7 compatible service that interacts with the underlying "Crimson" Eventlog subsystem to facilitate remote, real-time transfer of event log information. Snare for Windows Vista also support 64 bit versions of Windows (X64).
Snare for Windows and Windows Vista are free software (freeware), released under the terms of the GNU Public Licence (GPL).
Updating my answer after looking into this more.
This seems to a limit with /usr/bin/logger
, which is expected to conform with the syslog RFCs. http://www.faqs.org/rfcs/rfc3164.html says:
The total length of
the packet MUST be 1024 bytes or less.
If you to send more then 1024 characters to syslog via the commandline (outside of Apache), you'll run into this same limit.
Keep in mind that the 1024 character limit probably exists elsewhere. I think the maximum size for a HTTP GET is 1024 characters, and I seem to recall that some printf library routines have a hard limit of 1024 characters (There was a security alert a couple years ago regarding the 1024 character limit regarding some syslog/ string printing utilities, if I remember right). So, it seems that your options are:
3) Try to stop your HTTP applications from writting long log messages. This is easier said then done.
1) Recompile logger
and increase this limit. If you do this, keep in mind that you're changing a core utility and this may result in unexpected behavior. To mitigate this, put this utility in /usr/local/bin or /opt/bin. Do not replace /usr/bin/logger
.
2) Don't send from Apache to syslog. Something like the following should work around the 1024-character limit, since this doesn't use syslog.
CustomLog logs/access_log
4) http://www.oreillynet.com/pub/a/sysadmin/2006/10/12/httpd-syslog.html uses sys::syslog
and seems to be a reasonable alternative to /usr/bin/logger
. You need to check sys::syslog for this same 1024 character limit. It's Perl, and should be easy to override.
Old answer:
It looks like this limit is tunable within syslog-ng, according to http://www.campin.net/syslog-ng/faq.html
syslog defaults to 1024 byte long messages, but this value is tunable
in syslog-ng 1.5 where you can set it to a higher value.
options { log_msg_size(8192); };
Best Answer
you need a source that reads the tomcat logs, and sends them over to your log server. So assuming that tomcat logs into a file, you need something like:
source s_file { file("/opt/tomcat/logs/tomcat.log" multi-line-mode(indented)); };
(Note that the "/opt/tomcat/logs/*.log" will not currently work in syslog-ng Open Source Edition, because it does not yet support wildcards in the source - you have to specify the file to read) Then the destination:
destination d_net { tcp("x.x.x.x" port(1514) log_fifo_size(1000)); };
See the syslog-ng documentation for more details.
And the log statement to connect them: