Skip to main content
Question

google chronicle forwarder

  • July 31, 2025
  • 3 replies
  • 46 views
rahul7514
Forum|alt.badge.img+10

Hi

 

While configuring google secops forwarder for syslog, should the udp buffer be kept at 8192 or should it be modified, under what conditions should we change it?? 

3 replies

russell_pfeifer
Forum|alt.badge.img+6

hi rahul7415--

Are you seeing packet drops or the logs being truncated? Are you forwarding logs from sources that are verbose (ie firewalls, IDS/IPS systems?) Are you getting warnings about buffer overflows or anything similiar? 

Documentation seems to confirm that the default (8192 bytes) is sufficient in most cases for low to moderate log volume.

Hope this helps. 

Russell P
rahul7514
Forum|alt.badge.img+10
  • rahul7514Bronze 2
  • Author
  • Bronze 2
  • August 2, 2025

@russell_pfeifer  yes we see packet drops and it is for palo alto firewall. So if we have to increase it how do we determine how much should we keep it?? 

russell_pfeifer
Forum|alt.badge.img+6

@rahul7514 I’m not finding any specific SecOps documentation with a recommended buffer increase size. But, the best practice in high throughput environments for syslog is to set the UDP buffer size to 65535 bytes. 

The most relevant documentation comes from sources like RFC 5426, which defines how syslog messages are transmitted over UDP. While it doesn’t explicitly recommend setting the buffer to 65535 bytes, it does state that each UDP datagram must contain a single syslog message, and that message may be truncated if it exceeds the datagram size: https://datatracker.ietf.org/doc/rfc5426/

You could set it to this value but be sure to monitor system memory as larger buffers consume more RAM. 

Hope this helps.

Russell P
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.