search

anthonygtellez / TA-Suricata

This TA will make the Suricata eve.json fields match Splunk's CIM
4 stars 1 forks source link

Default truncate in Splunk might brake events #3

Open 0xtf opened 5 years ago

0xtf commented 5 years ago

Hi,

As discussed in Twitter, I've noticed that the default configuration of truncate, in Splunk, set to 10000, might brake some events from Suricata from being fully stored.

I've seen this happen in both alert and http sourcetypes. payload.printable seems to be the common cause for reaching the limit of truncate.

Unfortunately setting TRUNCATE = 99999 in TA-Suricata itself did not work. It might be that some other setting is taking precedence.

The only way to apply the configuration was to apply it system-wide. I'll post the configuration ASAP.

0xtf commented 5 years ago

image

Added an image that shows how the truncate setting might make important fields to be missed. Just for some more contextual information.