Event ID 1003 Splits the Message in JSA
Windows Event ID 1003 can exceed the default maximum payload size in JSA. It is then split into two separate messages.
The default maximum payload size in JSAis 4096 bytes. If Event ID 1003 messages are being split, you must increase the maximum payload size to keep the messages intact.
Follow these steps to increase the maximum payload size:
- Log in to the Console as an administrator.
- Click the Admin tab.
- Click System Settings > Advanced.
- On the System Settings pane, update the Max TCP Syslog
Payload Length value to 8,192.
Extremely large payload values can impact performance of the event pipeline. Do not increase the TCP Payload Length Value above 8,192 bytes without contacting Juniper support.
- Click Save.
- On the Admin tab, click Advanced > Deploy Full Configuration.
Completing a full deployment restarts all services on all JSAappliances. Verify whether reports are running before you run the deployment, as a full deployment stops reports that are in progress. These reports must be manually restarted by a user or the administrator. This procedure also temporarily stops event and flow collection on all appliances while services are restarting. To avoid these issues, make this change during a maintenance window.
- Click Continue to start the full deployment
After the deployment completes, all JSA managed hosts are sent the change to accept larger TCP payload length. The payloads across all managed hosts do not truncate the event message, unless they exceed 8,192 bytes.