Event ID 1003 splits the message in QRadar

Windows Event ID 1003 can exceed the default maximum payload size in QRadar®. It is then split into two separate messages.

About this task

The default maximum payload size in QRadar is 4096 bytes. If Event ID 1003 messages are being split, you must increase the maximum payload size to keep the messages intact.

Follow these steps to increase the maximum payload size.

Procedure

  1. Log in to the Console as an administrator.
  2. Click the Admin tab.
  3. Click System Settings > Advanced.
  4. On the System Settings pane, update the Max TCP Syslog Payload Length value to 8,192.
    Tip: Extremely large payload values can impact performance of the event pipeline. Do not increase the TCP Payload Length Value above 8,192 bytes without contacting IBM support.
  5. Click Save.
  6. On the Admin tab, click Advanced > Deploy Full Configuration.
    Important: Completing a full deployment restarts all services on all QRadar appliances. Verify whether reports are running before you run the deployment, as a full deployment stops reports that are in progress. These reports must be manually restarted by a user or the administrator. This procedure also temporarily stops event and flow collection on all appliances while services are restarting. To avoid these issues, make this change during a maintenance window.
  7. Click Continue to start the full deployment process.

Results

After the deployment completes, all QRadar managed hosts are sent the change to accept larger TCP payload length. The payloads across all managed hosts do not truncate the event message, unless they exceed 8,192 bytes.