EDR: SIEM events are not captured properly and payload is truncated
Article ID: 287487
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
SIEM events are not captured properly and payload is truncated
Environment
- EDR Server: All supported versions
- Event Forwarder: All Supported Versions
- Qradar
Cause
Event forwarder has been configured to forward messages to SIEM via UDP.
Resolution
TCP is the preferred option to avoid message loss/truncation.
Additional Information
The UDP syslog RFC states that any syslog receiver only needs to support up to 1180 bytes.
Feedback
Yes
No
Powered by
