Article Number
000034495
Applies To
RSA Product Set: Netwitness for Packet
RSA Product/Service Type: Malware Analysis
RSA Version/Condition: 10.3, 10.4, 10.5, 10.6
Platform: CentOS
O/S Version: 6
RSA Product/Service Type: Malware Analysis
RSA Version/Condition: 10.3, 10.4, 10.5, 10.6
Platform: CentOS
O/S Version: 6
Issue
Although Max Length(default : 2048 bytes) is set to higher value. MA audit log is truncated to a certain length.
Cause
Syslog receiver has a parameter for Max Length of the received message.
Resolution
Customer needs to extend the Max Length of the received message for Receiver module(eg. rsyslog). Please refer to the syslog receiver documentation.
Notes
Test to inject the same pcap twice to Netwitness.
- 1st attempt : Set Identity String on Malware Analysis > Config page to SACE6942
- 2nd attempt : Set Identity String on Malware Analysis > Config page to SACE6942_LONGERIDENTITY_STRING
Regardless of the length of the Identity String, the receiver(rsyslog 5.x) truncates the message to 2K (default value for rsyslog 5.x) which is ending to the same position.
Reference) rsyslog
http://www.rsyslog.com/doc/v5-stable/configuration/global/index.html?highlight=maxmessagesize
$MaxMessageSize <size_nbr>, default 2k
In this article
