Adapting the size of syslog UDP messages in QRadar
QRadar uses a default payload size of 1024 bytes for syslog UDP messages.
When a message exceeds this size, it will be automatically truncated.
Incidentally, some of the events that SNS firewalls send exceed this size. Since the log type is placed at the end of the line, QRadar will not be able to extract the corresponding event category, and treat these messages as unknown.
The size of syslog UDP messages that IBM QRadar accepts must therefore be changed.
Increasing the limit to 2048 bytes will sufficiently cover all types of messages that the firewall may send.