IBM Support

QRadar: TCP and UDP Syslog Maximum Payload Message Length for QRadar Appliances

Question & Answer


Question

For event logs, is there a limit to the size of a Syslog message that QRadar can accept?
And aside from syslog, is there a maximum payload size for other protocols, or overall system-wide?

Cause

Reasons why the event payload could be truncated in the QRadar user interface:
  • The Maximum TCP Syslog Payload value in the admin tab of QRadar is set too low for your event source.
  • The device sends the Syslog payload with a line break character. Line break characters within a Syslog event payload can split the original payload in to one or more events in QRadar. 
  • The TCP payload is larger than 32,767 bytes. QRadar has a read limit of 32,767 bytes for a single event as an existing product restriction. Any payload larger than 32,767 bytes is truncated when processed.
  • The Payload maximum limit of 32,767 also applies to DLC devices.
  • The remote event source is sending UDP data to QRadar and it is being truncated at 1,024 bytes. Users must enable jumbo packets in their network to send UDP payloads larger than 1,024 bytes.
  • An issue is preventing the maximum TCP payload value from being updated on a remote host. Try sending the payload to another QRadar appliance to confirm. Syslog log sources are cloned across all QRadar appliances. A Syslog message sent to another QRadar appliance is parsed and assigned to the correct log source.
Note: The maximum payload length of 32,767 set in System Settings applies for only port 514. Some Log Sources such as TLS Syslog and HTTP Receiver, have the ability for administrators to apply a Maximum Payload Length. If a Maximum Payload Length option is not listed in the Log Source configuration, administrators are limited to 32,767 payload length for almost all other log sources.  The one exception is Syslog Redirect, which is capped at 2,048 bytes.

Answer

QRadar can receive Syslog event messages of various sizes, but all appliances are configured with a default maximum event size. Messages that are larger than the maximum size of the RFC specification for the TCP and UDP protocol can experience the event payloads truncated in to two events. The System Setting in QRadar is a global value and defines the default payload size before QRadar attempts to split the data in to two events.

Recommended event size by protocol:
  • UDP syslog messages should not exceed 4096 bytes.
  • TCP syslog messages can be increased to 16,384 bytes if users experience truncated events. If event payload truncation is still occurring after you update the maximum payload size, you can increase the value to 32,767 bytes. TCP Syslog event payloads cannot exceed 32,767 bytes in QRadar. 
 

How to use tcpdump to confirm a truncated payload issue

To verify whether an event was truncated for packet length, Administrators can compare the results of a tcpdump with the event payload recorded for the Log Source in the Log Activity tab. If tcpdump returns the full packet length based on the incoming data from the interface, then QRadar could be truncating the payload due to the Maximum TCP Payload Length setting or a value in the payload is causing the truncation issue.

To use tcpdump to view syslog events:
  1. Using SSH, log in to the Console as the root user.
  2. To view Syslog events, type the following command: 
    tcpdump -A -s 0 host $IP and port 514
    Replace $IP with the IP address of the device sending the Syslog events.
     
Note: If the device is sending events to a Managed Host in the network, you must SSH to the QRadar Console, then open an SSH session to the managed host and run the tcpdump command.

If you require the use of an expanded payload, you can switch from UDP to TCP to receive larger packets from your Syslog devices. If this payload length is not large enough, there are ways you can increase the payload length. QRadar only can handle a maximum payload-allowed size of 32,767 bytes. If a user sets a payload larger in the user interface, QRadar truncates the event payload at 32,767 regardless of the value set in the user interface.
The message you would see in the qradar.log file indicating payload truncation would be something like the following:
com.q1labs.sem.types.SourcePayloadBase: [INFO] [NOT:0000006000][x.x.x.x/- -] [-/- -]Payload truncated from 32,768 to 32,767 bytes in SECEvent.

How to adjust the Maximum TCP Syslog Payload Length for your QRadar Deployment

If you require the use of an expanded payload, you can switch from UDP to TCP, which allows larger packets. If this payload length is not large enough, there are ways you can increase the payload length. QRadar has a maximum payload-allowed size of 32,767 bytes for TCP. If a user sets a payload larger in the user interface, QRadar truncates the event payload at 32,767 regardless of the value set in the user interface. To request larger payloads, see the IBM Request for Enhancement website to request larger payloads as a product feature.
Before you begin
  • The System Setting is a global value and adjusts the maximum payload length for all QRadar appliances after the administrator deploys the change.
  • Increasing the maximum payload message length might result in performance issues.
     
  1. Log in to the QRadar Console.
  2. Click the Admin tab.
  3. Click the System Settings icon.
  4. Click Advanced.
  5. In the Max TCP Syslog Payload Length field, type 16,384.
    image 10794
  6. Click Save.
  7. From the Admin tab, select Advanced > Deploy Full Configuration
  8. After services restart, the Managed Hosts are updated to allow TCP packets that are up to 16,384 bytes without truncation.
     
 

Further troubleshooting
If you continue to experience issues, review the event payloads.
If there is a control character or new line character in the payload, then it forces the event to split where the character occurs regardless of the settings in QRadar.
If an extension is being applied to the log source, truncated payloads can cause more problems.
Administrators can verify that they have the latest DSM available to parse the event payloads.
Administrators can confirm that the version of the originating appliance is supported per the index of the DSM Configuration Guide.

The WinCollect agent stops after you increase the maximum TCP connections per host

After updating the maximum TCP syslog connections, WinCollect host might stop sending events. When that host stops sending events, similar messages can be seen in /var/log/qradar.error:

[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_35] com.q1labs.sem.semsources.wincollectconfigserver.WinCollectConfigHandler:
[ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Encountered a problem in WinCollectConfigSocket Thread
[ecs-ec-ingress.ecs-ec-ingress] [WinCollectConfigHandler_35] java.net.SocketTimeoutException: Read timed out

To resolve this issue

  1. Log in to the WinCollect host not sending events as an admin user.
  2. Open the Services app.
  3. Scroll to the WinCollect service.
  4. Click restart.
Results
The WinCollect starts and the host sends events.

How to adjust the Maximum UDP maximum payload length

If the payload length is not large enough, there are ways you can increase the payload length. QRadar does not recommend payload lengths greater than 4096 bytes. To request larger payloads, see the IBM Ideas Portal to request provisions for larger payloads as a product feature.

Before you begin

  • The System Setting is a global value and adjusts the maximum payload length for all QRadar appliances after the administrator deploys the change. 
  • Administrators must enable jumbo packets in their network to send UDP payloads greater than 1024 bytes.
  • Increasing the Maximum UDP payload message length might result in performance issues.
  1. Log in to the QRadar Console.
  2. Click the Admin tab.
  3. Click the System Settings icon.
  4. Click Advanced.
  5. In the Max UDP Syslog Payload Length field, type 4096.
    image 10763
  6. Click Save.
  7. From the Admin tab, select Advanced > Deploy Full Configuration
  8. After services restart, the Managed Hosts are updated to allow UDP packets that are up to 4096 bytes without truncation.

[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
11 June 2024

UID

swg21622313

Page Feedback