Topic
  • 4 replies
  • Latest Post - ‏2016-07-15T16:56:49Z by marplatense
marplatense
marplatense
3 Posts

Pinned topic max. payload size (syslog via tcp)

‏2016-07-14T13:33:25Z | syslog tcp

Hi guys, I am using qradar version v7.2.6

I have to log a message that is longer than 4096 bytes (I'm getting it via using syslog via TCP). However it is getting chunked due to the limit restriction. 

Due to this I changed the Max TCP Syslog Payload Length from System Settings to a number ridiculous large and deployed the changes. However the events I am getting in this source keep getting chunked in 4096 bytes pieces. 

Any ideas why it is not working or alternative ways to deliver the message in one piece?

 

TIA!

 

  • JonathanPechtaIBM
    JonathanPechtaIBM
    165 Posts
    ACCEPTED ANSWER

    Re: max. payload size (syslog via tcp)

    ‏2016-07-15T14:33:28Z  

    thanks. I am developing an app for qradar so I don't think that asking my clients to contact support for this will escalate. I am considering using UDP multiline in order to deliver the messages.

     

     

    There is a System Setting in the user interface now that allows you to configure the TCP Syslog Maximum Payload Size.

     

    Procedure

    1. Log in to the Console as an administrator.
    2. Click the Admin tab.
    3. Click the System Settings icon.
    4. Click the Advanced icon.
    5. From the System Settings panel, update the Max TCP Syslog Payload Length value to 8192.

    6. Click Save.
      Caution: Completing a full deploy will restart all services on all QRadar appliances. The user can verify if reports are running before taking this action as a full deploy will stop reports that are in progress, which will need to be manually restarted by a user or the administrator. 
    7. From the Admin tab, click Advanced > Deploy Full Configuration.
    8. Click Continue to start the full deploy process.

     

    If you want to increase this value, you can change the value from 4096 to 8192. If the payloads are getting split in to smaller chunks, either the extremely large value you entered is causing an issue or the value wasn't properly deployed and you might try to complete a full deploy again. The payloads should come in intact as 8,192 bytes, unless there is a control character or regex issue that is truncating your payload in your log source extension.

     

    If you have any questions, feel free to ask or call me out directly using @Jonathan.Pechta (IBM) ​ using the at (@) symbol with my username will send me an email directly on this issue.

  • michael2323jordan
    michael2323jordan
    4 Posts

    Re: max. payload size (syslog via tcp)

    ‏2016-07-14T19:32:58Z  

    When I encountered this issue I had to contact Support as there were some settings they changed on the backend.

     

     

    michael2323jordan

  • marplatense
    marplatense
    3 Posts

    Re: max. payload size (syslog via tcp)

    ‏2016-07-14T22:16:46Z  

    thanks. I am developing an app for qradar so I don't think that asking my clients to contact support for this will escalate. I am considering using UDP multiline in order to deliver the messages.

     

     

  • JonathanPechtaIBM
    JonathanPechtaIBM
    165 Posts

    Re: max. payload size (syslog via tcp)

    ‏2016-07-15T14:33:28Z  

    thanks. I am developing an app for qradar so I don't think that asking my clients to contact support for this will escalate. I am considering using UDP multiline in order to deliver the messages.

     

     

    There is a System Setting in the user interface now that allows you to configure the TCP Syslog Maximum Payload Size.

     

    Procedure

    1. Log in to the Console as an administrator.
    2. Click the Admin tab.
    3. Click the System Settings icon.
    4. Click the Advanced icon.
    5. From the System Settings panel, update the Max TCP Syslog Payload Length value to 8192.

    6. Click Save.
      Caution: Completing a full deploy will restart all services on all QRadar appliances. The user can verify if reports are running before taking this action as a full deploy will stop reports that are in progress, which will need to be manually restarted by a user or the administrator. 
    7. From the Admin tab, click Advanced > Deploy Full Configuration.
    8. Click Continue to start the full deploy process.

     

    If you want to increase this value, you can change the value from 4096 to 8192. If the payloads are getting split in to smaller chunks, either the extremely large value you entered is causing an issue or the value wasn't properly deployed and you might try to complete a full deploy again. The payloads should come in intact as 8,192 bytes, unless there is a control character or regex issue that is truncating your payload in your log source extension.

     

    If you have any questions, feel free to ask or call me out directly using @Jonathan.Pechta (IBM) ​ using the at (@) symbol with my username will send me an email directly on this issue.

  • marplatense
    marplatense
    3 Posts

    Re: max. payload size (syslog via tcp)

    ‏2016-07-15T16:56:49Z  

    There is a System Setting in the user interface now that allows you to configure the TCP Syslog Maximum Payload Size.

     

    Procedure

    1. Log in to the Console as an administrator.
    2. Click the Admin tab.
    3. Click the System Settings icon.
    4. Click the Advanced icon.
    5. From the System Settings panel, update the Max TCP Syslog Payload Length value to 8192.

    6. Click Save.
      Caution: Completing a full deploy will restart all services on all QRadar appliances. The user can verify if reports are running before taking this action as a full deploy will stop reports that are in progress, which will need to be manually restarted by a user or the administrator. 
    7. From the Admin tab, click Advanced > Deploy Full Configuration.
    8. Click Continue to start the full deploy process.

     

    If you want to increase this value, you can change the value from 4096 to 8192. If the payloads are getting split in to smaller chunks, either the extremely large value you entered is causing an issue or the value wasn't properly deployed and you might try to complete a full deploy again. The payloads should come in intact as 8,192 bytes, unless there is a control character or regex issue that is truncating your payload in your log source extension.

     

    If you have any questions, feel free to ask or call me out directly using @Jonathan.Pechta (IBM) ​ using the at (@) symbol with my username will send me an email directly on this issue.

    Thank you, it has been really kind of you for the detailed explanation. I will try the udp multiline since I have already developed the code on my side and I don't want to waste it and in case it does not work out I will review this option.