IBM Support

WinCollect: Incomplete or Truncated Event Payloads

Question & Answer


Question

WinCollect payloads sent from standalone or managed WinCollect agents will use the protocol defined by the destination. Administrators should confirm that they are sending payloads using TCP if events are being truncated by the maximum size limitation of the UDP protocol and review the System Settings on the QRadar appliance receiving the data.

Cause

Events are being forwarded with UDP have a default maximum payload size of 1024 bytes. When users send data with the UDP protocol, the events created by Windows hosts can often exceed 1024 bytes as message=fields are typically very long. WinCollect can send payloads larger than 1024 bytes, but users should review both the destination configured in WinCollect and the maximum default TCP payload size QRadar will accept. By default, QRadar has a maximum TCP payload size set to 16,384 bytes. It is recommended that users send Windows events using TCP and configure QRadar's global system setting to use increased payload maximums.

Answer

To resolve this issue, change the protocol used from UDP to TCP. When changing the protocol used from UDP to TCP, it is necessary to confirm that the TCP port 514 is open for firewalls located between the Wincollect Agent to the target event collector.
WinCollect Managed
  1. Log in to the QRadar user interface.
  2. Click on the Admin tab > Log Sources.
  3. Using Search For Name from the pull down enter the name of the WinCollect Log Source.
  4. Scroll down to Target Internal Destinations and change the Event Collector to TCP.
  5. Click Save.
  6. Click the Admin tab.
  7. Click the System Settings icon.
  8. Click the Advanced icon.
  9. From the System Settings panel, update the Max TCP Syslog Payload Length value to 16,384 bytes.
  10. From the Admin tab, click Advanced > Deploy Full Configuration.
  11. Click Continue to start the full deploy process.

    Results
    Administrators can return to the Log Activity tab and review incoming WinCollect events to determine if the event payloads are complete and not truncated.
WinCollect Stand-alone
  1. Open WinCollect Configuration Console.
  2. Under Destinations, right click Syslog TCP > Add New Destination.
  3. Enter a new Destination name.
  4. Click on the Destination name and enter the Hostname in the Basic Configurations Window.
  5. Scroll down to Devices and click the Log Source.
  6. Scroll down on the Log Source Properties, click Add and select the TCP destination.

  7. Right click on any Icon > Click Deploy Changes.
  8. Click the Admin tab.
  9. Click the System Settings icon.
  10. Click the Advanced icon.
  11. From the System Settings panel, update the Max TCP Syslog Payload Length value. Note: The maximum value that can be set is 32,000 bytes.
  12. From the Admin tab, click Advanced > Deploy Full Configuration.
  13. Click Continue to start the full deploy process.

    Results
    Administrators can return to the Log Activity tab and review incoming WinCollect events to determine if the event payloads are complete and not truncated.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
11 February 2021

UID

swg21991090

Page Feedback