What is the current character limit for event ingestion on InsightIDR platform?
I want to ingest events on InsightIDR platform with the help of InsightConnect workflow forwarded with the help of Syslog Forwarder plugin.
Also, can someone from the team please help me in understanding the best practices and ideal ways to perform event ingestion on InsightIDR platform from InsightConnect workflow?
Thanks in advance!
32k bytes is the current limit for a single line, after 32k the rest of the log/event will be split into another 32k line max, beyond that data is dropped entirely (>64k in a single payload is the maximum ingested amount with two 32k chunks)
For example if you send a log that is 48k long, you will see two logs in log search the first 32k bytes followed by the 16k bytes on the next line, however if these log events are in JSON for instance, the JSON will break as the log is split across multiple lines.
David