IBM Support

QRadar: Juniper SRX 15.1X49D120 or later events get truncated by Qradar

Troubleshooting


Problem

Juniper SRX 15.1X49D120 and later, new data is added to events that can cause QRadar® to truncate events. By default, QRadar allows a  maximum of 1024 characters, when the Juniper SRX event payloads can often exceed 1230 characters in length. Administrators might be required to adjust the system settings in QRadar to accommodate for larger UDP packets.

Symptom

Events received from a Juniper SRX 15.1X49D120 or later can be truncated due to the system setting Max UDP Syslog Payload Length in QRadar. When events are truncated, QRadar can fail to parse Juniper SRX events and display 'Unknown Juniper SRX' or event searches might not return results as expected when the value in the search query is at the end of the event payload.
 

Cause

The maximum allowed size of UDP events in QRadar is set to 1,024 by default. Any events larger than 1,024 characters get truncated by the Syslog protocol.

Environment

Juniper SRX 15.1X49D120 or later.

Resolving The Problem

Procedure
  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab.
  3. Click the System Settings icon.
    image 5869
  4. Click Advanced.
  5. In the System Settings panel, review the Max UDP Syslog Payload Length value.
  6. Change the value to 1,280.
    image 5868
  7. Click Save.

    Results
    Administrators can open the Log Activity tab to confirm if payloads parse correctly for Juniper SRX events. A common method to confirm if events are parsing correctly is to filter by your Juniper SRX log source and add the filer Event is Unparsed = True. The Events is Unparsed filter returns event results where the data is 'Unknown' for the log source. If you continue to experience issues, contact your network administrator to ensure that Jumbo frames are enabled on devices if events are passing through network switches between the QRadar appliance and the Juniper SRX device.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
03 September 2020

UID

ibm16324211

Page Feedback