Question & Answer
Some of my larger events, like Windows and Firewall events that contain URLs are being truncated as they are at the payload limit for TCP. How do I increase my TCP maximum payload length?
This video is intended to assist administrators with how to adjust the TCP Syslog payload limit. This video is not a replacement for reading documentation, but highlights the procedure and provides an outlet for additional questions or reminders for administrators before they begin a new installation.
There is a System Setting in the user interface now that allows you to configure the TCP Syslog Maximum Payload Size.
- Log in to the Console as an administrator.
- Click the Admin tab.
- Click the System Settings icon.
- Click the Advanced icon.
- From the System Settings panel, update the Max TCP Syslog Payload Length value.
Extremely large payload values can impact performance of the event pipeline, QRadar support recommends setting a maximum value of 8,192 bytes. It is not recommended to increase the TCP Payload Length Value above 8,192 bytes without talking with support first.
Figure 1: Global TCP system setting values for QRadar appliances.
- Click Save.
IMPORTANT: Completing a full deploy will restart all services on all QRadar appliances. The user can verify if reports are running before taking this action as a full deploy will stop reports that are in progress, which will need to be manually restarted by a user or the administrator. This procedure will also temporarily stop event and flow collection on all appliances while services are restarting. It is recommended that administrators make this change during a maintenance window.
- From the Admin tab, click Advanced > Deploy Full Configuration.
- Click Continue to start the full deploy process.
After the deploy completes, all QRadar appliances are updated to accept the new maximum TCP payload size. This is a global setting to QRadar, so all managed hosts will be sent the change to accept larger TCP payload length. The payloads across all managed hosts will not truncate the values, unless they exceed 8,192 bytes.
If you continue to experience issues you should review the event payloads. If there is a control character or new line character in the event payload, then it will force the payload to split where the character occurs regardless of the settings in QRadar. There might also be an issue if your log source extension is truncating your payload, if an extension is being applied to the log source. Otherwise, administrators should verify that they have the latest DSM available to parse the event payloads and that the version of the appliance providing the events to QRadar are supported per the index of the DSM Configuration Guide.
Where do you find more information?
Internal Use Only
pre 7.2.5 patch 5:
to increase this limit you will need to modify
on the console.
look for the line
and update this to a higher parameter: 8192 or 16384
<parameter type="MaxPayload">new number</parameter>
Once you save this do a full deploy and the change should take effect,
to verify the setting was changed on your managed hosts check
/opt/qradar/conf/EC.xml and check the MaxPayload value reflects your new
16 June 2018