As discussed in Twitter, I've noticed that the default configuration of truncate, in Splunk, set to 10000, might brake some events from Suricata from being fully stored.
I've seen this happen in both alert and http sourcetypes. payload.printable seems to be the common cause for reaching the limit of truncate.
Unfortunately setting TRUNCATE = 99999 in TA-Suricata itself did not work. It might be that some other setting is taking precedence.
The only way to apply the configuration was to apply it system-wide. I'll post the configuration ASAP.
Hi,
As discussed in Twitter, I've noticed that the default configuration of truncate, in Splunk, set to 10000, might brake some events from Suricata from being fully stored.
I've seen this happen in both alert and http sourcetypes. payload.printable seems to be the common cause for reaching the limit of truncate.
Unfortunately setting
TRUNCATE = 99999
in TA-Suricata itself did not work. It might be that some other setting is taking precedence.The only way to apply the configuration was to apply it system-wide. I'll post the configuration ASAP.