IBM Support

QRadar: How to increase the maximum TCP payload size for event data

Question & Answer


Question

Some of my larger events, like Windows and Firewall events that contain URLs are being truncated as they are at the payload limit for TCP. How do I increase my TCP maximum payload length?

Answer

This video is intended to assist administrators with how to adjust the TCP Syslog payload limit. This video is not a replacement for reading documentation, but highlights the procedure and provides an outlet for additional questions or reminders for administrators before they begin a new installation.


YouTube Video
QRadar: How to increase the maximum TCP payload size for event data (3:35)
This brief video shows how to increase the size of the TCP Syslog payload in IBM QRadar

There is a System Setting in the user interface now that allows you to configure the TCP Syslog Maximum Payload Size.


    Procedure
    1. Log in to the Console as an administrator.
    2. Click the Admin tab.
    3. Click the System Settings icon.
    4. Click the Advanced icon.
    5. From the System Settings panel, update the Max TCP Syslog Payload Length value.

      Extremely large payload values can impact performance of the event pipeline, QRadar support recommends setting a maximum value of 8,192 bytes. It is not recommended to increase the TCP Payload Length Value above 8,192 bytes without talking with support first.


      Figure 1: Global TCP system setting values for QRadar appliances.
    6. Click Save.

      IMPORTANT: Completing a full deploy will restart all services on all QRadar appliances. The user can verify if reports are running before taking this action as a full deploy will stop reports that are in progress, which will need to be manually restarted by a user or the administrator. This procedure will also temporarily stop event and flow collection on all appliances while services are restarting. It is recommended that administrators make this change during a maintenance window.

    7. From the Admin tab, click Advanced > Deploy Full Configuration.
    8. Click Continue to start the full deploy process.


      Results
      After the deploy completes, all QRadar appliances are updated to accept the new maximum TCP payload size. This is a global setting to QRadar, so all managed hosts will be sent the change to accept larger TCP payload length. The payloads across all managed hosts will not truncate the values, unless they exceed 8,192 bytes.


      Further troubleshooting
      If you continue to experience issues you should review the event payloads. If there is a control character or new line character in the event payload, then it will force the payload to split where the character occurs regardless of the settings in QRadar. There might also be an issue if your log source extension is truncating your payload, if an extension is being applied to the log source. Otherwise, administrators should verify that they have the latest DSM available to parse the event payloads and that the version of the appliance providing the events to QRadar are supported per the index of the DSM Configuration Guide.

Where do you find more information?



Internal Use Only

http://www-01.ibm.com/support/docview.wss?uid=swg21683378

pre 7.2.5 patch 5:
to increase this limit you will need to modify
/opt/qradar/conf/templates/configservices/pluggablesources/TCPSyslog.vm
on the console.
look for the line
        <parameter type="MaxPayload">4096</parameter>
        and update this to a higher parameter: 8192 or 16384
        <parameter type="MaxPayload">new number</parameter>
Once you save this do a full deploy and the change should take effect,
to verify the setting was changed on your managed hosts check
/opt/qradar/conf/EC.xml and check the MaxPayload value reflects your new
number.

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Admin Console","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":""}]

Document Information

Modified date:
16 June 2018

UID

swg21987398