Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Windows event log Splunk HF with truncation

sarvananth
Explorer
‎01-28-2024 06:19 AM

sarvananth_0-1706451087963.png

We are using Splunk Universal Forwarder (UF) to forward logs from a Windows server to a Splunk Heavy Forwarder (HF). However, when the Splunk HF receives logs of a specific type as multiline, an issue arises. In this case, when attempting to forward these logs from the Splunk HF to a syslog server (a Linux server with rsyslog configuration), the logs are getting truncated. How can we address and resolve this issue?

0 Karma
Reply

tscroggins
Influencer
‎01-28-2024 10:21 AM

Hi @sarvananth,

Have you reviewed rsyslog documentation for maximum message length and line endings? If you're forwarding using a syslog output over UDP, the transport itself has a limit of 65,535 bytes per datagram (subtract headers for maximum payload length). You may also want to transform the events by replacing line endings with an escape sequence of your choosing (or one required by the consumer).

Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-28-2024 07:20 AM

The screenshot shows an untruncated event.  What makes you believe the logs are getting truncated?  Please show a sanitized sample truncated event.

Why are the events going from a Splunk HF to a syslog server instead of to a Splunk indexer?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sarvananth
Explorer
‎01-28-2024 02:57 PM

please check the truncated event from syslog server 

sarvananth_0-1706482345395.png

We are attempting to send logs to both the Splunk indexer and the syslog server because different teams handle distinct log types. My team manages the system security logs specifically for SOC team monitoring.

0 Karma
Reply

JunYamaguchi
Splunk Employee
Splunk Employee
‎08-22-2024 06:53 AM

This can be caused by syslog not supporting newlines(\n).
The following settings on the HF will improve this.

props.conf

[your-sourcetype]
TRANSFORMS-◯◯ = transname

transforms.conf

[transname]

INGEST_EVAL = _raw=replace(_raw, "\n", " ")
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...