IBM Support

QRadar: Truncation of TLS Syslog Log Source Events.

Question & Answer


Question

You see truncated events in Log Activity for TLS Syslog Log Sources, even though the Max TCP Syslog Payload Length was increased in System Settings.

Cause

Max TCP Syslog Payload Length in System Settings is a global configuration applied to all managed hosts for TCP traffic only. TLS Syslog traffic that arrives at the Log Source's dedicated TLS Syslog listener port, is configured at the Log Source level with the Max Payload Length property, which is set by default to 4,096 bytes.  
On the EventCollector that the Log Source is configured to collect from, the /var/log/qradar.log file contains the following warning indicating that TLS Syslog messages will split:
[WARN] [NOT:0000004000][<ec_ip_address>/- -] [-/- -]buffer overrun, TLS syslog message > 4096 bytes, message will be split

Answer

Increase the Max Payload Length to the required value for the affected TLS Syslog Log Source to prevent any further message splitting or truncation.
Procedure:
To increase the Max Payload Length of the affected TLS Syslog Log Source.
  1. Open the Log Source Management app in the Console's Admin tab.
  2. Select Log Sources to manage Log Sources (from version 6.0.0 only).
  3. In the Filter column, select the Protocol Type TLS Syslog.
  4. Identify the affected TLS Syslog Log Source currently receiving the truncated events.

    image 7068
  5. Click the three dots on the right side of the Log Source selection and select 'Edit'.
  6. Click the Protocol tab to change the Max Payload Length to the required value to prevent any further message splitting, and Save.

    image 7085
  7. Monitor the Log Source and /var/log/qradar.log for any further evidence of message splitting or truncation.
Results
The error messages for split TLS Syslog messages are no longer seen in qradar.log.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"},{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"TS004117620","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
13 November 2020

UID

ibm16333521

Page Feedback