IBM Support

QRadar: How to increase the maximum TCP payload size for event data

Question & Answer


Question

Some of my larger events, like Windows and Firewall events that contain URLs are being truncated as they are at the payload limit for TCP. How do I increase my TCP maximum payload length?

Answer


Notice: This article is deprecated for a newer version. For the latest on TCP Maximum Payload settings, see: https://www.ibm.com/support/pages/node/216611.


 

There is a System Setting in the user interface now that allows you to configure the TCP Syslog Maximum Payload Size.

Procedure
  1. Log in to the Console as an administrator.
  2. Click the Admin tab.
  3. Click the System Settings icon.
  4. Click the Advanced icon.
  5. From the System Settings panel, update the Max TCP Syslog Payload Length value.

    Extremely large payload values can impact performance of the event pipeline, QRadar support recommends setting a maximum value of 16,384 bytes. It is not recommended to increase the TCP Payload Length Value above 16,384 bytes without discussing potential performance impact for appliances with the support team. The limit for the Max TCP Syslog Payload Length field is 32,000 bytes.

    image 7980
    Figure 1: Global TCP system setting values for QRadar appliances.
  6. Click Save.

    IMPORTANT: Completing a full deploy will restart all services on all QRadar appliances. The user can verify if reports are running before taking this action as a full deploy will stop reports that are in progress, which will need to be manually restarted by a user or the administrator. This procedure will also temporarily stop event and flow collection on all appliances while services are restarting. It is recommended that administrators make this change during a maintenance window.
     
  7. From the Admin tab, click Advanced > Deploy Full Configuration.
  8. Click Continue to start the full deploy process.


    Results
    After the deploy completes, all QRadar appliances are updated to accept the new maximum TCP payload size. This is a global setting to QRadar, so all managed hosts will be sent the change to accept larger TCP payload length. The payloads across all managed hosts will not truncate the values, unless they exceed 16,384 bytes.


    Further troubleshooting
    If you continue to experience issues you should review the event payloads. If there is a control character or new line character in the event payload, then it will force the payload to split where the character occurs regardless of the settings in QRadar. There might also be an issue if your log source extension is truncating your payload, if an extension is being applied to the log source. Otherwise, administrators should verify that they have the latest DSM available to parse the event payloads and that the version of the appliance providing the events to QRadar are supported per the index of the DSM Configuration Guide.

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
02 June 2021

UID

swg21987398