Previous Topic: Set Forwarding Rule AttributesNext Topic: Edit a Forwarding Rule


About Forwarded syslog Events

The maximum syslog packet size (including PRI, Header, Tag and Content fields) is 1024 bytes, so the forwarded event may not be able to include all of the CEG name-value pairs the user has specified.

When necessary,CA User Activity Reporting Module truncates the message value to keep the length under 1024 bytes. If the forwarding rule specifies CEG fields to include in the generated syslog event, then the generated syslog event's Content field contains the specified CEG name-value pairs.

The name-value pairs have the format CEG_field_name:field_value from the event that matched the simple filter rule. The string “null” designates a null CEG field value. These CEG fields are in the order specified in the forwarding rule.

The CEG field order specified in the forwarding rule is significant. CA User Activity Reporting Module may truncate the value portion specified, but it will not truncate any CEG field names. If CA User Activity Reporting Module cannot fit the next full CEG field name and the colon and at least one byte of the associated value, then it terminates the syslog content field with the prior CEG name-value pair.