Getting Data In

How do you increase maximum UDP log size?

abori
Engager

We are experiencing a complete loss of the log message if it's over approx. 1400 characters. The message doesn't show up in search results for that given endpoint.

I've tried the suggestions here and here. Neither of them worked for me.

We are using log4net with the following configuration:

  <log4net>
    <appender name="SplunkAppender" type="log4net.Appender.UdpAppender">
      <remoteAddress value="splunk.myserver.com" />
      <remotePort value="2221" />
      <layout type="log4net.Layout.PatternLayout">
        <ConversionPattern value="%utcdate log_level=%level url=%property{URL} referrer=%property{HttpReferer} agent=%property{UserAgent} %n desc=&quot;%message&quot;" />
      </layout>
    </appender>
    <root>
      <level value="INFO" />
      <appender-ref ref="SplunkAppender" />
    </root>
  </log4net>
Tags (2)

gkanapathy
Splunk Employee
Splunk Employee

It's mostly like a problem with either the log4net UdpAppender, or with your network.

A UDP syslog message by protocol definition can not be over 1024 bytes, though this is often ignored. However, is physically must fit into a single UDP packet. A UDP packet can be over 1400 bytes, but this number is suspiciously close to the Ethernet MTU of 1500 bytes, minus overhead. Probably something in either your software, stack, or network is disallowing the transmission of UDP packets larger than the Ethernet MTU, or something is failing to fragment the UDP packet to fit into the MTU. This is a pretty low-level problem that you'd probably have to talk to network admins about.

You can test first simply using "ping -s" using varying packet sizes to see if you can ping with more than 1500 bytes. (You probably can't.) You can also ascertain whether it's a Splunk problem by using nc or ncat on the Splunk server and sending your UDP messages to that program, and seeing if they arrive.

abori
Engager

After running wireshark on the client and server, we found that the messages were being truncated to fit in one UDP packet (max 1452 bytes). Even though the server was receiving the truncated message, it was not showing up in the Splunk logs. We don't mind truncated messages. We mind dropped messages. Any ideas?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...