topic Re: Splunk Audit Log Truncate in Monitoring Splunk

Splunk Audit Log Truncate

DanielAmlung — Wed, 05 Jun 2024 12:51:13 GMT

Hi,

since a couple of days i getting these errors from one of my search heads:

"06-05-2024 14:33:35.300 +0200 WARN LineBreakingProcessor [3959599 parsing] - Truncating line because limit of 10000 bytes has been exceeded with a line length >= 11513 - data_source="/opt/splunk/var/log/splunk/audit.log", data_host="XXX", data_sourcetype="splunk_audit""

As far as i understood, i can set truncate value within the props.conf to a higher value. I just want to understand, why internal logs exceeds the line length. Can someone point me in the right direction why the audit logs exceeds this limit?

thanks

Re: Splunk Audit Log Truncate

richgalloway — Wed, 05 Jun 2024 14:53:27 GMT

The audit log exceeds the limit because Splunk wrote a very long event to the log. Why that happened is impossible to say without knowing more about the event itself.

Or is the question more like "shouldn't Splunk never write events longer than 10,000 characters?" If so, I don't disagree, but prefer Splunk give me the option (by increasing TRUNCATE) to log all of the event rather than cut off what might otherwise be important data.

Re: Splunk Audit Log Truncate

DanielAmlung — Wed, 05 Jun 2024 15:04:38 GMT

"Or is the question more like "shouldn't Splunk never write events longer than 10,000 characters?"

Yes - that would be my question. I assume splunk should know that it would exceed some length. So i dont get why there is a "limit" for internal logs. But yeah, that question has no real "this" or "that". Thanks for the reply

Re: Splunk Audit Log Truncate

richgalloway — Wed, 05 Jun 2024 17:24:43 GMT

Ideally, Splunk would know it's creating an event that's too large and modify TRUNCATE accordingly for that sourcetype. For log messages that glob together several pieces of information at run-time (like many audit events), the true size of the event won't be known in advance.