Question & Answer
Question
Cause
- The Maximum TCP Syslog Payload value in the admin tab of QRadar is set too low for your event source.
- The device sends the Syslog payload with a line break character. Line break characters within a Syslog event payload can split the original payload in to one or more events in QRadar.
- The TCP payload is larger than 32,767 bytes. QRadar has a read limit of 32,767 bytes for a single event as an existing product restriction. Any payload larger than 32,767 bytes is truncated when processed.
- The Payload maximum limit of 32,767 also applies to DLC devices.
- The remote event source is sending UDP data to QRadar and it is being truncated at 1,024 bytes. Users must enable jumbo packets in their network to send UDP payloads larger than 1,024 bytes.
- An issue is preventing the maximum TCP payload value from being updated on a remote host. Try sending the payload to another QRadar appliance to confirm. Syslog log sources are cloned across all QRadar appliances. A Syslog message sent to another QRadar appliance is parsed and assigned to the correct log source.
Answer
Recommended event size by protocol:
- UDP syslog messages should not exceed 4096 bytes.
- TCP syslog messages can be increased to 16,384 bytes if users experience truncated events. If event payload truncation is still occurring after you update the maximum payload size, you can increase the value to 32,767 bytes. TCP Syslog event payloads cannot exceed 32,767 bytes in QRadar.
How to use tcpdump to confirm a truncated payload issue
tcpdump
returns the full packet length based on the incoming data from the interface, then QRadar could be truncating the payload due to the Maximum TCP Payload Length setting or a value in the payload is causing the truncation issue.To use tcpdump to view syslog events:
- Using SSH, log in to the Console as the root user.
- To view Syslog events, type the following command:
tcpdump -A -s 0 host $IP and port 514
If you require the use of an expanded payload, you can switch from UDP to TCP to receive larger packets from your Syslog devices. If this payload length is not large enough, there are ways you can increase the payload length. QRadar only can handle a maximum payload-allowed size of 32,767 bytes. If a user sets a payload larger in the user interface, QRadar truncates the event payload at 32,767 regardless of the value set in the user interface.
How to adjust the Maximum TCP Syslog Payload Length for your QRadar Deployment
- The System Setting is a global value and adjusts the maximum payload length for all QRadar appliances after the administrator deploys the change.
- Increasing the maximum payload message length might result in performance issues.
- Log in to the QRadar Console.
- Click the Admin tab.
- Click the System Settings icon.
- Click Advanced.
- In the Max TCP Syslog Payload Length field, type 16,384.
- Click Save.
- From the Admin tab, select Advanced > Deploy Full Configuration.
- After services restart, the Managed Hosts are updated to allow TCP packets that are up to 16,384 bytes without truncation.
Further troubleshooting
If you continue to experience issues, review the event payloads.
If there is a control character or new line character in the payload, then it forces the event to split where the character occurs regardless of the settings in QRadar.
If an extension is being applied to the log source, truncated payloads can cause more problems.
Administrators can verify that they have the latest DSM available to parse the event payloads.
Administrators can confirm that the version of the originating appliance is supported per the index of the DSM Configuration Guide.
The WinCollect agent stops after you increase the maximum TCP connections per host
After updating the maximum TCP syslog connections, WinCollect host might stop sending events. When that host stops sending events, similar messages can be seen in /var/log/qradar.error:
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_35] com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfigHandler:
[ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Encountered a problem in WinCollectConfigSocket Thread
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_35] java.net.SocketTimeoutException: Read timed out
To resolve this issue
- Log in to the WinCollect host not sending events as an admin user.
- Open the Services app.
- Scroll to the WinCollect service.
- Click restart.
The WinCollect starts and the host sends events.
How to adjust the Maximum UDP maximum payload length
If the payload length is not large enough, there are ways you can increase the payload length. QRadar does not recommend payload lengths greater than 4096 bytes. To request larger payloads, see the IBM Ideas Portal to request provisions for larger payloads as a product feature.
Before you begin
- The System Setting is a global value and adjusts the maximum payload length for all QRadar appliances after the administrator deploys the change.
- Administrators must enable jumbo packets in their network to send UDP payloads greater than 1024 bytes.
- Increasing the Maximum UDP payload message length might result in performance issues.
- Log in to the QRadar Console.
- Click the Admin tab.
- Click the System Settings icon.
- Click Advanced.
- In the Max UDP Syslog Payload Length field, type 4096.
- Click Save.
- From the Admin tab, select Advanced > Deploy Full Configuration.
- After services restart, the Managed Hosts are updated to allow UDP packets that are up to 4096 bytes without truncation.
Was this topic helpful?
Document Information
Modified date:
11 June 2024
UID
swg21622313