Adapting the size of syslog UDP messages in QRadar

QRadar uses a default payload size of 1024 bytes for syslog UDP messages.
When a message exceeds this size, it will be automatically truncated.

Incidentally, some of the events that SNS firewalls send exceed this size. Since the log type is placed at the end of the line, QRadar will not be able to extract the corresponding event category, and treat these messages as unknown.

The size of syslog UDP messages that IBM QRadar accepts must therefore be changed.
Increasing the limit to 2048 bytes will sufficiently cover all types of messages that the firewall may send.

Changing the payload size of syslog messages in QRadar

  1. Log in to your IBM QRadar console.
  2. In the Admin menu, select System settings:
  3. Switch the system settings panel from Basic to Advanced mode.
  4. In the Max UDP Syslog Payload Length field, enter 2048:

  5. Click on Save to save your changes.