Increasing the maximum TCP Syslog payload length for Radware AppWall

Increase the maximum TCP Syslog payload length for your RadWare AppWall appliance in IBM® QRadar® for payloads that are longer than the default maximum TCP Syslog payload length.

Before you begin

Important: Your RadWare AppWall device might have event payloads that are longer than the default maximum TCP Syslog payload length of 4096 bytes. This overage can result in the event payload being split into multiple events by QRadar. To avoid this behavior, increase the maximum TCP Syslog payload length. To optimize performance, start by configuring the value to 8192 bytes. The maximum length for RadWare AppWall events is 14,019 bytes.

The maximum QRadar syslog payload size is 32,000 bytes. For more information about increasing the QRadar maximum payload size, see QRadar: TCP and UDP Syslog Maximum Payload Message Length for QRadar Appliances (https://www.ibm.com/support/pages/qradar-tcp-and-udp-syslog-maximum-payload-message-length-qradar-appliances).

Procedure

  1. Login to the QRadar Console as an administrator.
  2. From the Admin tab, click System Settings > Advanced.
  3. In the Max TCP Syslog Payload Length field, type 8192, and then click Save.
  4. From the Admin tab, click Deploy Changes.