QRadar's TCP Syslog max payload size default value is 4096. It is recommended to increase it to at least double, or in the best case to 32000. Some alerts exceed 4k, which prevents them from logging correctly in QRadar.

Procedure

  1. Open the QRadar console.
  2. Go to Admin > System Settings.
  3. Click the Switch to: Advanced button.
  4. Locate the Max TCP Syslog Payload Length setting and increase its value to the recommended 32000.

    Change the Max TCP Syslog Payload Length setting

  5. Click Save.