Troubleshooting
Problem
Juniper SRX 15.1X49D120 and later, new data is added to events that can cause QRadar® to truncate events. By default, QRadar allows a maximum of 1024 characters, when the Juniper SRX event payloads can often exceed 1230 characters in length. Administrators might be required to adjust the system settings in QRadar to accommodate for larger UDP packets.
Symptom
Events received from a Juniper SRX 15.1X49D120 or later can be truncated due to the system setting Max UDP Syslog Payload Length in QRadar. When events are truncated, QRadar can fail to parse Juniper SRX events and display 'Unknown Juniper SRX' or event searches might not return results as expected when the value in the search query is at the end of the event payload.
Document Location
Worldwide
[{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
Modified date:
03 September 2020
UID
ibm16324211