Getting Data In

Syslog forwarding to 3rd party: Why are events truncated at 1024 bytes?

gcusello
SplunkTrust
SplunkTrust

Hi at all,

I have very long events (more than 10,000 chars) that I have to send via syslog (udp) to a third party system.

I'm working on an Heavy Forwarder with Splunk 8.0.3 running on Linux Red Hat.

Events are truncated at 1024.

I know that there the parameter maxEventSize to put in outputs.conf but it doesn't run in my situation (I inserted a very greater number in maxEventSize).

Had anyone the same problem?

Thanks in advance.

Ciao.

Giuseppe

Labels (1)
0 Karma

Brujita
Engager

Hi,

What number did you set on maxEventSize ?

 

Did you restart the splunk service?

 

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Brujita,

Thank you for your answer.

I followed this problem with Splunk Support

In few words: I Tried to set maxEventSize to many values 1B, 65,000, 25,000 (yes: i restarted Splunk!) and I found that also adding a second pipeline the max number was between 20,000 and 26,000, otherwise the queues were full and system blocked.

There's no solution, so I changed the approach, using the "Splunk App for CEF" and reducing the message lenght.

Thank you again.

Ciao.

Giuseppe

0 Karma

Brujita
Engager

That is great @gcusello !! Thanks for the input.

Brujita

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Brujita,

if my answer solves your need, please accept the answer fot the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...