How to set the message size of rsyslog and what is the default and maximum value?

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • rsyslog

Issue

  • How to set the message size of rsyslog?
  • What's the default value of MaxMessageSize of rsyslog?
  • What's the maximum value of MaxMessageSizecan be set?
  • When rsyslog receive a long message, it fails with the message rsyslogd: err Uncompression of a message failed with return code -3 - enable debug logging if you need further information. Message ignored.

Resolution

  • Please set the value of maximum supported message size with the global directive MaxMessageSize in rsyslog.conf.
    For example (Either use one of the below syntax. Both are valid):
    1. Legacy Syntax

       $MaxMessageSize 8k

    2. Rainer Script Syntax

       global(workDirectory="/var/lib/rsyslog"
   maxMessageSize="8000"
   )

  • The default value of this directive is 2KiB or 8KiB depend on rsyslog version.

  • The max value of MaxMessageSize varies different with customers' environment. Usually, it can be set as several KB, or dozens of KB .

Root Cause

  • Please refer the page of rsyslog5: Content from www.rsyslog.com is not included.True Global Directives

      $MaxMessageSize <size_nbr>, default 2k - allows to specify maximum supported message size (both for sending and receiving). The default should be sufficient for almost all cases. Do not set this below 1k, as it would cause interoperability problems with other syslog implementations.

  Important: In order for this directive to work correctly, it must be placed right at the top of rsyslog.conf (before any input is defined).

  Change the setting to e.g. 32768 if you would like to support large message sizes for IHE (32k is the current maximum needed for IHE). I was initially tempted to set the default to 32k, but there is a some memory footprint with the current implementation in rsyslog. If you intend to receive Windows Event Log data (e.g. via EventReporter), you might want to increase this number to an even higher value, as event log messages can be very lengthy (“$MaxMessageSize 64k” is not a bad idea). Note: testing showed that 4k seems to be the typical maximum for UDP based syslog. This is an IP stack restriction. Not always ... but very often. If you go beyond that value, be sure to test that rsyslogd actually does what you think it should do ;) It is highly suggested to use a TCP based transport instead of UDP (plain TCP syslog, RELP). This resolves the UDP stack size restrictions. Note that 2k, is the smallest size that must be supported in order to be compliant to the upcoming new syslog RFC series.

  • Besides, the value is different according the version of rsyslog. For more information, please refer:
    Content from www.rsyslog.com is not included.rsyslog v7
    Content from www.rsyslog.com is not included.rsyslog v8

SBR
Product(s)
Components
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.