https://community.splunk.com/t5/Other-Usage/Windows-event-log-Splunk-HF-with-truncation/m-p/675687#M1666 <P>please check the truncated event from syslog server&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sarvananth_0-1706482345395.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/29108i2CE85E5C878EDD63/image-size/medium?v=v2&amp;px=400" role="button" title="sarvananth_0-1706482345395.png" alt="sarvananth_0-1706482345395.png" /></span></P><P>We are attempting to send logs to both the Splunk indexer and the syslog server because different teams handle distinct log types. My team manages the system security logs specifically for SOC team monitoring.</P> Sun, 28 Jan 2024 22:57:51 GMT sarvananth 2024-01-28T22:57:51Z https://community.splunk.com/t5/Other-Usage/Windows-event-log-Splunk-HF-with-truncation/m-p/675676#M1663 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sarvananth_0-1706451087963.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/29107i2B20172DA1E81C08/image-size/medium?v=v2&amp;px=400" role="button" title="sarvananth_0-1706451087963.png" alt="sarvananth_0-1706451087963.png" /></span></P><P>We are using Splunk Universal Forwarder (UF) to forward logs from a Windows server to a Splunk Heavy Forwarder (HF). However, when the Splunk HF receives logs of a specific type as multiline, an issue arises. In this case, when attempting to forward these logs from the Splunk HF to a syslog server (a Linux server with rsyslog configuration), the logs are getting truncated. How can we address and resolve this issue?</P> Sun, 28 Jan 2024 14:19:29 GMT https://community.splunk.com/t5/Other-Usage/Windows-event-log-Splunk-HF-with-truncation/m-p/675676#M1663 sarvananth 2024-01-28T14:19:29Z https://community.splunk.com/t5/Other-Usage/Windows-event-log-Splunk-HF-with-truncation/m-p/675679#M1664 <P>The screenshot shows an untruncated event.&nbsp; What makes you believe the logs are getting truncated?&nbsp; Please show a sanitized sample truncated event.</P><P>Why are the events going from a Splunk HF to a syslog server instead of to a Splunk indexer?</P> Sun, 28 Jan 2024 15:20:30 GMT https://community.splunk.com/t5/Other-Usage/Windows-event-log-Splunk-HF-with-truncation/m-p/675679#M1664 richgalloway 2024-01-28T15:20:30Z https://community.splunk.com/t5/Other-Usage/Windows-event-log-Splunk-HF-with-truncation/m-p/675682#M1665 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/258366">@sarvananth</a>,</P><P>Have you reviewed rsyslog documentation for maximum message length and line endings? If you're forwarding using a syslog output over UDP, the transport itself has a limit of 65,535 bytes per datagram (subtract headers for maximum payload length). You may also want to transform the events by replacing line endings with an escape sequence of your choosing (or one required by the consumer).</P> Sun, 28 Jan 2024 18:21:50 GMT https://community.splunk.com/t5/Other-Usage/Windows-event-log-Splunk-HF-with-truncation/m-p/675682#M1665 tscroggins 2024-01-28T18:21:50Z https://community.splunk.com/t5/Other-Usage/Windows-event-log-Splunk-HF-with-truncation/m-p/675687#M1666 <P>please check the truncated event from syslog server&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sarvananth_0-1706482345395.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/29108i2CE85E5C878EDD63/image-size/medium?v=v2&amp;px=400" role="button" title="sarvananth_0-1706482345395.png" alt="sarvananth_0-1706482345395.png" /></span></P><P>We are attempting to send logs to both the Splunk indexer and the syslog server because different teams handle distinct log types. My team manages the system security logs specifically for SOC team monitoring.</P> Sun, 28 Jan 2024 22:57:51 GMT https://community.splunk.com/t5/Other-Usage/Windows-event-log-Splunk-HF-with-truncation/m-p/675687#M1666 sarvananth 2024-01-28T22:57:51Z https://community.splunk.com/t5/Other-Usage/Windows-event-log-Splunk-HF-with-truncation/m-p/697066#M1849 <P>This can be caused by syslog not supporting newlines(\n).<BR />The following settings on the HF will improve this.<BR /><BR /></P> <LI-CODE lang="markup">props.conf [your-sourcetype] TRANSFORMS-◯◯ = transname transforms.conf [transname] INGEST_EVAL = _raw=replace(_raw, "\n", " ")</LI-CODE> Thu, 22 Aug 2024 15:58:55 GMT https://community.splunk.com/t5/Other-Usage/Windows-event-log-Splunk-HF-with-truncation/m-p/697066#M1849 JunYamaguchi 2024-08-22T15:58:55Z