Is there a way to exclude specific fields from being sent, I wasn't able to find anything in the config file that would allow for that. Currently we're seeing an issue where the logs are not parsing correctly because we're hitting the limit of 2048 characters per field.
This seems to be because of the groups portion is causing the data to go over max characters. Our users may be a part of up to 10 different groups so it's being cut off mid string.
If there was a way to exclude the users groups from sending, that would resolve the issue.
Current workaround is send the data as CEF instead of JSON but then the data that is sent is limited. Or remove some groups from the users, then the data fits within 2048 characters and is parsed by our SIEM.
Is there a way to exclude specific fields from being sent, I wasn't able to find anything in the config file that would allow for that. Currently we're seeing an issue where the logs are not parsing correctly because we're hitting the limit of 2048 characters per field.
This seems to be because of the groups portion is causing the data to go over max characters. Our users may be a part of up to 10 different groups so it's being cut off mid string.
If there was a way to exclude the users groups from sending, that would resolve the issue.
Current workaround is send the data as CEF instead of JSON but then the data that is sent is limited. Or remove some groups from the users, then the data fits within 2048 characters and is parsed by our SIEM.