[Oisf-users] issue with event size
Giuseppe Longo
lists at glongo.it
Thu Jul 27 12:54:47 UTC 2017
Hello,
Il giorno gio, 27/07/2017 alle 07.50 -0400, erik clark ha scritto:
> So, I am pushing events into splunk from suricata. Life was great
> before http_response_body and http_request_body. However, after
> turning them on, I got a 28k size event., which caused a malformed
> event to be pushed into splunk, making it unreadable, as our splunk
> has a limit of 10k for an event. How can I limit the size of the
> http_response_body and http_request_body to the first 3k each? I am
> sure I have events bigger than this. Thanks!
>
The problem of limiting http_request_body/http_response_body is that if
the matching part is lost there is no more interest.
To have smaller events you can try to decrease
request-body-minimal-inspect-size and
response-body-minimal-inspect-size.
BR,
Giuseppe
More information about the Oisf-users
mailing list