Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk rejects syslog messages

bosseres
Contributor
‎12-22-2022 10:34 PM

Hello, everyone

I've "all-in-one" splunk installation, configured syslog input, but input messages are rejected.

Below messages from splunkd.log

12-21-2022 09:24:24.966 +0300 ERROR TcpInputProc - Message rejected. Received unexpected message of size=1009858353 bytes from src=*:60020 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.
12-21-2022 09:24:24.969 +0300 ERROR TcpInputProc - Message rejected. Received unexpected message of size=1009987646 bytes from src=*:60032 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.
12-21-2022 09:24:24.975 +0300 ERROR TcpInputProc - Message rejected. Received unexpected message of size=1009858353 bytes from src=*:60034 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.
12-21-2022 09:24:31.739 +0300 ERROR TcpInputProc - Message rejected. Received unexpected message of size=1009858353 bytes from src=*:49684 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

 

Tried to increase queueSize in inputs.conf, but without success result

Labels (2)
Labels
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-23-2022 06:38 AM

The messages are saying Splunk can't accept 1GB messages - the maximum is 64MB.  Verify the data coming in is indeed syslog and, if so, have the senders dial back the amount they send at a time.  If the data is not syslog then it should not be coming to a syslog input.

FTR, it's a Best Practice to receive syslog events via a dedicated syslog server (syslog-ng, rsyslog, SC4S) rather than directly to a Splunk instance.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...