Processing Jumbo Messages

In LogLogic LMI, messages that exceed the default processing limit (64 KB) are termed as jumbo messages. You can configure LogLogic LMI to process jumbo messages.

By default, LogLogic LMI cannot process messages larger than 64 KB according to the UDP syslog standard. However, you can enable this feature.

Enabling or disabling jumbo messages does not affect receiving and processing of replayed data and the functioning of the file collector. However, you must read the following Important Considerations section before enabling this feature.

Important Considerations
  • Enabling this option might impact search performance.
  • Jumbo messages can be processed by TCP syslog and ULDP, but not by UDP syslog.
  • Advanced Search can process jumbo messages. However, the classic search methods (such as index search and regular expression search) cannot.
  • For jumbo messages, the complete message content cannot be displayed on the Triggered Alerts, real-time reports, and Log Source Status pages.

To start processing jumbo messages, modify the /loglogic/conf/tcpcoll.conf file as follows:

Procedure

  1. Set the value of the UseTcpCollectorQueue property to 1.
  2. Specify the maximum message length. When the MaxMsgLength limit is exceeded, the extra characters of the messages are truncated. The valid values for the MaxMsgLength property are as follows:
    UseTcpCollectorQueue Valid range of MaxMsgLength (in bytes)
    1 (jumbo messaging is enabled) 5 to 1048576
    0 (jumbo messaging is disabled) 5 to 65535
    If the value of MaxMsgLength is invalid or is not specified, the value is set to the maximum limit of message length.

What to do next

After updating the value of UseTcpCollectorQueue or MaxMsgLength:
  • If you are running this setup on a single node that is not in an HA setup, you must restart mtask.
    1. $ mtask stop
    2. $ mtask start
  • If you are running this setup in an HA setup, you must restart both active and passive nodes.