Task #3294
openTest the maximum size for messages passed to the unix socket
Description
When logging to unix dgram socket the max message size is 64k. Goal is to test what happens if the messages we generate exceed that and come up with recommendations for how to handle this case.
Updated by Victor Julien about 5 years ago
- Related to Task #3288: Suricon 2019 brainstorm added
Updated by Victor Julien about 4 years ago
I think its safer to use the unix_stream option. Syslog output may have the same issue depending on which syslog daemon and network transport is in use. Should be documented.
Updated by Jason Ish over 3 years ago
On a modern Linux system I hit failures somewhere between 200000 and 250000 bytes. Interestingly, the failure was inside Suricata, not on the receiver. Too large of a write fails. I was unable to create the condition where the received message may be truncated. This is a good thing I suppose.
I do expect messages to be truncated when done over a UDP socket however, but we don't support that mode.
Updated by Jason Ish over 3 years ago
On FreeBSD the message size does appear be 65535 (at least by default). But like in Linux, the error is on Suricata's side where the message fails to send:
[100599] 22/4/2021 -- 11:40:00 [CS:logopenfile] - <Warning> -- [ERRCODE: SC_ERR_SOCKET(200)] - Write error on Unix socket "/tmp/suricata": Message too long; reconnecting...
In my opinion we don't have an issue here to worry about. Suricata will clearly fail, and the option is to move to unix_stream, or a file out.
NOTE: I had to modify the code to generate messages this size, but it doesn't mean that a logging situation couldn't be created to get to this size.
Updated by Jason Ish over 3 years ago
Even 5000 bytes seems to large for FreeBSD (at least on a default install).
Updated by Victor Julien over 3 years ago
The error message should probably indicate that the user should switch to unix_stream? And/or that certain options should be disabled, like payload logging?
Updated by Sachin Desai over 1 year ago
Jason Ish wrote in #note-5:
On a modern Linux system I hit failures somewhere between 200000 and 250000 bytes.
Hit the same problem, the reason for this range seems to be the system limit of /proc/sys/net/core/wmem_max
Switching unix_stream doesnt solve the problem altogether. There are limits there as well.