Syslog forwarding to 3rd party: Why are events tru...

gcusello · ‎06-26-2020

Hi at all,

I have very long events (more than 10,000 chars) that I have to send via syslog (udp) to a third party system.

I'm working on an Heavy Forwarder with Splunk 8.0.3 running on Linux Red Hat.

Events are truncated at 1024.

I know that there the parameter maxEventSize to put in outputs.conf but it doesn't run in my situation (I inserted a very greater number in maxEventSize).

Had anyone the same problem?

Thanks in advance.

Ciao.

Giuseppe

Brujita · ‎08-04-2020

Hi,

What number did you set on maxEventSize ?

Did you restart the splunk service?

gcusello · ‎08-06-2020

Hi @Brujita,

Thank you for your answer.

I followed this problem with Splunk Support

In few words: I Tried to set maxEventSize to many values 1B, 65,000, 25,000 (yes: i restarted Splunk!) and I found that also adding a second pipeline the max number was between 20,000 and 26,000, otherwise the queues were full and system blocked.

There's no solution, so I changed the approach, using the "Splunk App for CEF" and reducing the message lenght.

Thank you again.

Ciao.

Giuseppe

Brujita · ‎08-23-2020

That is great @gcusello !! Thanks for the input.

Brujita

gcusello · ‎08-23-2020

Hi @Brujita,

if my answer solves your need, please accept the answer fot the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Syslog forwarding to 3rd party: Why are events truncated at 1024 bytes?

syslog

Splunk Observability Cloud | Customer Survey!

Happy CX Day, Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas