What is the max body size of O365 logs being sent ...

CriblRick · 08-29-2023 08:55 AM

I am getting errors sending data to Chronicle from O365 logs - I know there's a max body size but the log size for O365 exceeds this limitation. What is the correct setting when sending data from O365 to Cribl Stream and then to Chronicle?

Rene_Figueroa

Hi,

If you are using Chronicle's ingestion API, then max payload is 1 MB. More info here:

https://cloud.google.com/chronicle/docs/reference/ingestion-api#unstructuredlogentries

CriblRick

@Rene_Figueroa thank you for the response. So let's say if we're pulling data from O365 at an interval of every 5 minutes and it's sending to Chronicle in batches if the total size of all events goes above 1MB then Chronicle will apply back pressure?

Rene_Figueroa

The request will be rejected and an error will be returned.

CriblRick

Do you have time next week to see what we're observing and help with troubleshooting this issue for a mutual customer?

Rene_Figueroa

Please reach out to Chronicle support for additional help.

hzmndt

If you're using ingestion API directly, then max size - 1MB (before compression)
If you're using webhook, then max size will be increased to - 4MB (before compression)

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

What is the max body size of O365 logs being sent to Google Chronicle?