Other Usage
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows event log Splunk HF with truncation

sarvananth
Explorer
‎01-28-2024 06:19 AM

sarvananth_0-1706451087963.png

We are using Splunk Universal Forwarder (UF) to forward logs from a Windows server to a Splunk Heavy Forwarder (HF). However, when the Splunk HF receives logs of a specific type as multiline, an issue arises. In this case, when attempting to forward these logs from the Splunk HF to a syslog server (a Linux server with rsyslog configuration), the logs are getting truncated. How can we address and resolve this issue?

0 Karma
Reply

tscroggins
Influencer
‎01-28-2024 10:21 AM

Hi @sarvananth,

Have you reviewed rsyslog documentation for maximum message length and line endings? If you're forwarding using a syslog output over UDP, the transport itself has a limit of 65,535 bytes per datagram (subtract headers for maximum payload length). You may also want to transform the events by replacing line endings with an escape sequence of your choosing (or one required by the consumer).

Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-28-2024 07:20 AM

The screenshot shows an untruncated event.  What makes you believe the logs are getting truncated?  Please show a sanitized sample truncated event.

Why are the events going from a Splunk HF to a syslog server instead of to a Splunk indexer?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sarvananth
Explorer
‎01-28-2024 02:57 PM

please check the truncated event from syslog server 

sarvananth_0-1706482345395.png

We are attempting to send logs to both the Splunk indexer and the syslog server because different teams handle distinct log types. My team manages the system security logs specifically for SOC team monitoring.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...