MARS 512 String Limit

gpoer · ‎11-08-2006

When we tried our MOM interagration we ran into a 512 string limitation in the MARS which makes MOM integration extremely difficult. The last I heard the fix was uncomfirmed for 08. My question is concerning syslog forwarded from an exchange server straight to MARS. Will we have the same event truncation issue if the exchange server syslogs (via Snare) are larger than 512 bytes? We already planned on doing custom parsing for those events, is their anything we can do to make it work if the events are larger than the string limit?

Thanks!

Geoff

mhellman · ‎11-09-2006

I was told by Cisco a long time ago that this would be fixed. Certainly 1024 bytes would have been a more appropriate limitation. I believe this is the syslog protocol max size, or it was at one time. That is the default Snare limit. They are too busy slapping in mom-and-pop features to fix the big stuff (my apologies to mom-and-pop).

Have you tried the custom parser? I've been meaning to test this but just haven't had time. I suppose it is possible that the parser works on the entire (or at least some larger piece) of the message.

gpoer · ‎11-09-2006

We heard it was slated for 4.2 however that obviously didn't make it in :). I believe the 512 limit is an old protocol limit and several syslog implementations handle larger messages.

We have not tried the custom parser yet. However, I was told that the truncation of the message happens BEFORE parsing begins. So if we lost the important data the parsing would be useless. However, we will probably try anyway.

Thanks for the response!

Geoff