Hi there,
I'm using a Splunk UF to monitor a Windows folder and syslog the events to a remote server where they are collected and written to Hadoop.
From reading previous questions here, I understand that the syslog universal forwarder is RFC 3164 compliant. That is, events have a maximum length of 1024 bytes, after which they are truncated. I was wondering if there are plans to change that (perhaps by implementing RFC 5424?). If not, could anyone suggest an alternative?
Thanks in advance.
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf
maxEventSize =
* If specified, sets the maximum size of an event that splunk will transmit.
* All events excedding this size will be truncated.
* Defaults to 1024 bytes.