The maximum syslog packet size (including PRI, Header, Tag and Content fields) is 1024 bytes, so the forwarded event may not be able to include all of the CEG name-value pairs the user has specified.
When necessary,CA Enterprise Log Manager truncates the message value to keep the length under 1024 bytes. If the forwarding rule specifies CEG fields to include in the generated syslog event, then the generated syslog event's Content field contains the specified CEG name-value pairs.
The name-value pairs have the format CEG_field_name:field_value from the event that matched the simple filter rule. The string “null” designates a null CEG field value. These CEG fields are in the order specified in the forwarding rule.
The CEG field order specified in the forwarding rule is significant. CA Enterprise Log Manager may truncate the value portion specified, but it will not truncate any CEG field names. If CA Enterprise Log Manager cannot fit the next full CEG field name and the colon and at least one byte of the associated value, then it terminates the syslog content field with the prior CEG name-value pair.
Copyright © 2010 CA. All rights reserved. | Email CA Technologies about this topic |