IBM Support

QRadar: TCP and UDP Syslog Maximum Payload Message Length for QRadar Appliances

Question & Answer


Question

For event logs, is there a limit to the size of a Syslog message that QRadar can accept?

Cause

Reasons why the event payload could be truncated in the QRadar user interface:
  • The Maximum TCP Syslog Payload value in the admin tab of QRadar is set too low for your event source.
  • The device sends the Syslog payload with a line break character. Line break characters within a Syslog event payload can split the original payload in to one or more events in QRadar. 
  • The TCP payload is larger than 32,000 bytes. QRadar has a read limit of 32,000 bytes for a single event as an existing product restriction. Any payload larger than 32,000 bytes are truncated when processed.
  • The remote event source is sending UDP data to QRadar and it is being truncated at 1,024 bytes. Users must enable jumbo packets in their network to send UDP payloads larger than 1,024 bytes.
  • An issue is preventing the maximum TCP payload value from being updated on a remote host. Try sending the payload to another QRadar appliance to confirm. Syslog log sources are cloned across all QRadar appliances. A Syslog message sent to another QRadar appliance is parsed and assigned to the correct log source.
Note: The maximum payload length of 32,000 set in System Settings applies for only port 514. Some Log Sources such as TLS Syslog, have the ability for administrators to apply a Maximum Payload Length. If a Maximum Payload Length option is not listed in the Log Source configuration, administrators are limited to 4096 payload length for any Log Source that does not use port 514.

Answer

QRadar can receive Syslog event messages of various sizes, but all appliances are configured with a default maximum event size. Messages that are larger than the maximum size of the RFC specification for the TCP and UDP protocol might have the event payloads truncated in to two events. The System Setting in QRadar is a global value and defines the default payload size before QRadar attempts to split the data in to two events.

Recommended event size by protocol:
  • UDP syslog messages should not exceed 4096 bytes.
  • TCP syslog messages can be increased to 16,384 bytes if users experience truncated events. If you still experience issues after updating the maximum payload size, you can increase the value to 32,000 bytes. TCP Syslog event payloads cannot exceed 32,000 bytes in QRadar. 
 

How to use tcpdump to confirm a truncated payload issue

To verify whether an event is being truncated for packet length, Administrators can compare the results of a tcpdump with the event payload recorded for the Log Source in the Log Activity tab. If tcpdump returns the full packet length based on the incoming data from the interface, then QRadar could be truncating the payload due to the Maximum TCP Payload Length setting or a value in the payload is causing the truncation issue.

To use tcpdump to view syslog events:
  1. Using SSH, log in to the Console as the root user.
  2. To view Syslog events, type the following command: tcpdump -A -s 0 host $IP and port 514

    Replace $IP with the IP address of the device sending the Syslog events.
     
Note: If the device is sending events to a Managed Host in the network, you must SSH to the QRadar Console, then open an SSH session to the managed host and run the tcpdump command.

If you require the use of an expanded payload, you can switch from UDP to TCP to receive larger packets from your Syslog devices. If this payload length is not large enough, there are ways you can increase the payload length. QRadar has a maximum payload allowed size of 32,000 bytes. If a user sets a payload larger in the user interface, QRadar truncates the event payload at 32,000 regardless of the value set in the user interface.
 

How to adjust the Maximum TCP Syslog Payload Length for your QRadar Deployment

If you require the use of an expanded payload, you can switch from UDP to TCP, which allows larger packets. If this payload length is not large enough there are ways you can increase the payload length. QRadar has a maximum payload allowed size of 32,000 bytes for TCP. If a user sets a payload larger in the user interface, QRadar truncates the event payload at 32,000 regardless of the value set in the user interface. To request larger payloads, see the IBM Request for Enhancement website to request larger payloads as a product feature.
Before you begin
  • The System Setting is a global value and adjusts the maximum payload length for all QRadar appliances after the administrator deploys the change.
  • Increasing the maximum payload message length might result in performance issues.
     
  1. Log in to the QRadar Console.
  2. Click the Admin tab.
  3. Click the System Settings icon.
  4. Click Advanced.
  5. In the Max TCP Syslog Payload Length field, type 16,384.
    image 10794
  6. Click Save.
  7. From the Admin tab, select Advanced > Deploy Full Configuration
  8. After services restart, the Managed Hosts are updated to allow TCP packets that are up to 16,384 bytes without truncation.
     
 

Further troubleshooting
If you continue to experience issues, you should review the event payloads. If there is a control character or new line character in the payload, then it forces the event to split where the character occurs regardless of the settings in QRadar. There might also be an issue if your log source extension is truncating your payload, if an extension is being applied to the log source. Otherwise, administrators can verify that they have the latest DSM available to parse the event payloads and that the version of the appliance providing the events to QRadar are supported per the index of the DSM Configuration Guide.

WinCollect agent stops after increasing the maximum TCP connections per host

After updating maximum the TCP syslog connections WinCollect host might stop sending events. When this happens, similar messages can be seen in /var/log/qradar.error
 

May  6 05:15:37 ::ffff:192.168.x.x [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_35]
com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfigHandler: 
[ERROR] [NOT:0000003000][192.168.x.x/- -] [-/- -]Encountered a problem in WinCollectConfigSocket Thread
May  6 05:15:37 ::ffff:192.168.x.x [ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_35] 
java.net.SocketTimeoutException: Read timed out


To resolve this issue

  1. Log in to the WinCollect host not sending events as an admin user.
  2. Open the Services app.
  3. Scroll to the WinCollect service.
  4. Click restart.
Results
The WinCollect starts and the host sends events.

How to adjust the Maximum UDP maximum payload length

If the payload length is not large enough there are ways you can increase the payload length. QRadar has a maximum payload allowed size of 32,000 bytes for TCP. If a user sets a payload larger in the user interface, QRadar truncates the event payload at 32,000 regardless of the value set in the user interface. QRadar does not recommend using payload lengths greater than 4096 bytes. To request larger payloads, see the IBM Request for Enhancement website to request larger payloads as a product feature.

Before you begin

  • The System Setting is a global value and adjusts the maximum payload length for all QRadar appliances after the administrator deploys the change. 
  • Administrators must enable jumbo packets in their network to send UDP payloads greater than 1024 bytes.
  •  Increasing the Maximum UDP payload message length might result in performance issues.
  1. Log in to the QRadar Console.
  2. Click the Admin tab.
  3. Click the System Settings icon.
  4. Click Advanced.
  5. In the Max UDP Syslog Payload Length field, type 4096.
    image 10763
  6. Click Save.
  7. From the Admin tab, select Advanced > Deploy Full Configuration
  8. After services restart, the Managed Hosts are updated to allow TCP packets that are up to 4096 bytes without truncation.

[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
01 July 2021

UID

swg21622313