<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Syslog forwarding to 3rd party--How do I prevent events being truncated at 1024 bytes (952 char) in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-forwarding-to-3rd-party-How-do-I-prevent-events-being/m-p/158577#M32156</link>
    <description>&lt;P&gt;I have a Splunk Universal Forwarder (UF) installed on a Windows 2008 Server and it is forwarding logs to a Splunk Heavy Forwarder (HF).  The HF is configured to forward all events via Syslog (TCP) to a 3rd party receiver.&lt;/P&gt;

&lt;P&gt;The problem I'm having is that some of the more verbose Windows logs are being truncated at 1024 bytes (which comes out to around 952 characters).  I understand that there may be an RFC 3164 limitation, but from what I read that was at the UF (and a pcap shows the full log message being sent from UF to HF).&lt;/P&gt;

&lt;P&gt;Is there any way to edit or disable the 1024 byte truncation for events forwarded via Syslog from an HF?  Or, if this is an RFC 3164 limitation, is there possibly a way to change the output to be RFC 5424 compliant?&lt;/P&gt;

&lt;P&gt;Below is an example of event text and the random cutoff I'm experiencing:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;HOST01 10/09/2014 07:29:56 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=HOST01.domain1.com TaskCategory=Process Creation OpCode=Info RecordNumber=134491 Keywords=Audit Success Message=A new process has been created. Subject: Security ID:   NT AUTHORITY\SYSTEM Account Name:   HOST01$ Account Domain: DOMAIN1 Logon ID:   0x3e7 Process Information: New Process ID:  0xa70 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type:   TokenElevationTypeDefault (1) Creator Process ID:   0x8cc Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 i
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Fri, 10 Oct 2014 00:34:17 GMT</pubDate>
    <dc:creator>durden123321</dc:creator>
    <dc:date>2014-10-10T00:34:17Z</dc:date>
    <item>
      <title>Syslog forwarding to 3rd party--How do I prevent events being truncated at 1024 bytes (952 char)</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-forwarding-to-3rd-party-How-do-I-prevent-events-being/m-p/158577#M32156</link>
      <description>&lt;P&gt;I have a Splunk Universal Forwarder (UF) installed on a Windows 2008 Server and it is forwarding logs to a Splunk Heavy Forwarder (HF).  The HF is configured to forward all events via Syslog (TCP) to a 3rd party receiver.&lt;/P&gt;

&lt;P&gt;The problem I'm having is that some of the more verbose Windows logs are being truncated at 1024 bytes (which comes out to around 952 characters).  I understand that there may be an RFC 3164 limitation, but from what I read that was at the UF (and a pcap shows the full log message being sent from UF to HF).&lt;/P&gt;

&lt;P&gt;Is there any way to edit or disable the 1024 byte truncation for events forwarded via Syslog from an HF?  Or, if this is an RFC 3164 limitation, is there possibly a way to change the output to be RFC 5424 compliant?&lt;/P&gt;

&lt;P&gt;Below is an example of event text and the random cutoff I'm experiencing:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;HOST01 10/09/2014 07:29:56 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=HOST01.domain1.com TaskCategory=Process Creation OpCode=Info RecordNumber=134491 Keywords=Audit Success Message=A new process has been created. Subject: Security ID:   NT AUTHORITY\SYSTEM Account Name:   HOST01$ Account Domain: DOMAIN1 Logon ID:   0x3e7 Process Information: New Process ID:  0xa70 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type:   TokenElevationTypeDefault (1) Creator Process ID:   0x8cc Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 i
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Fri, 10 Oct 2014 00:34:17 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-forwarding-to-3rd-party-How-do-I-prevent-events-being/m-p/158577#M32156</guid>
      <dc:creator>durden123321</dc:creator>
      <dc:date>2014-10-10T00:34:17Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog forwarding to 3rd party--How do I prevent events being truncated at 1024 bytes (952 char)</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-forwarding-to-3rd-party-How-do-I-prevent-events-being/m-p/158578#M32157</link>
      <description>&lt;P&gt;Hi durden123321,&lt;/P&gt;

&lt;P&gt;check your &lt;CODE&gt;props.conf&lt;/CODE&gt; for any &lt;CODE&gt;TRUNCATE&lt;/CODE&gt; or &lt;CODE&gt;MAX_EVENT&lt;/CODE&gt; set on &lt;CODE&gt;syslog&lt;/CODE&gt; sourcetype. See docs for more details &lt;A href="http://docs.splunk.com/Documentation/Splunk/6.1.4/Admin/Propsconf"&gt;http://docs.splunk.com/Documentation/Splunk/6.1.4/Admin/Propsconf&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;cheers, MuS&lt;/P&gt;</description>
      <pubDate>Fri, 10 Oct 2014 06:04:47 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-forwarding-to-3rd-party-How-do-I-prevent-events-being/m-p/158578#M32157</guid>
      <dc:creator>MuS</dc:creator>
      <dc:date>2014-10-10T06:04:47Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog forwarding to 3rd party--How do I prevent events being truncated at 1024 bytes (952 char)</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-forwarding-to-3rd-party-How-do-I-prevent-events-being/m-p/158579#M32158</link>
      <description>&lt;P&gt;props.conf under /opt/splunk/etc/system/local is empty and I do not see any config options in the doc you referenced related to manipulation of syslog output.  any other suggestions that are relevant to the question above?&lt;/P&gt;</description>
      <pubDate>Fri, 10 Oct 2014 12:10:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-forwarding-to-3rd-party-How-do-I-prevent-events-being/m-p/158579#M32158</guid>
      <dc:creator>durden123321</dc:creator>
      <dc:date>2014-10-10T12:10:05Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog forwarding to 3rd party--How do I prevent events being truncated at 1024 bytes (952 char)</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-forwarding-to-3rd-party-How-do-I-prevent-events-being/m-p/158580#M32159</link>
      <description>&lt;P&gt;&lt;CODE&gt;truncate&lt;/CODE&gt; is the only setting in Splunk which will truncate events as confirmed by @jrodman in this answer &lt;A href="http://answers.splunk.com/answers/172844/very-long-log-events-coming-over-syslog-514udp-are.html#comment-173013"&gt;http://answers.splunk.com/answers/172844/very-long-log-events-coming-over-syslog-514udp-are.html#comment-173013&lt;/A&gt; so this is very relevant to your question &lt;span class="lia-unicode-emoji" title=":winking_face:"&gt;😉&lt;/span&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 14 Oct 2014 11:01:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-forwarding-to-3rd-party-How-do-I-prevent-events-being/m-p/158580#M32159</guid>
      <dc:creator>MuS</dc:creator>
      <dc:date>2014-10-14T11:01:15Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog forwarding to 3rd party--How do I prevent events being truncated at 1024 bytes (952 char)</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Syslog-forwarding-to-3rd-party-How-do-I-prevent-events-being/m-p/158581#M32160</link>
      <description>&lt;P&gt;RFC-5424 compatible issue has been fixed on version 6.2 and later. (SPL-88144)&lt;BR /&gt;
Please notice the default size is still 1024 by default, please increase the new variable &lt;STRONG&gt;maxEventSize&lt;/STRONG&gt; in outputs.conf:&lt;/P&gt;

&lt;HR /&gt;

&lt;P&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf"&gt;http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;maxEventSize = (integer)&lt;BR /&gt;
* If specified, sets the maximum size of an event that splunk will transmit. &lt;BR /&gt;
* All events excedding this size will be truncated.&lt;BR /&gt;
* Defaults to 1024 bytes.&lt;/P&gt;

&lt;HR /&gt;</description>
      <pubDate>Thu, 27 Nov 2014 05:08:08 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Syslog-forwarding-to-3rd-party-How-do-I-prevent-events-being/m-p/158581#M32160</guid>
      <dc:creator>mchang_splunk</dc:creator>
      <dc:date>2014-11-27T05:08:08Z</dc:date>
    </item>
  </channel>
</rss>

