Hi @_Val_  @Chris_Atkinson  This is irrespective of the log type. We have observed this truncation in different logs. Devices forward log to SIEM on port 601 tcp.
Though this is frequent issue and this is not for all logs. Truncation is intermittent and most of logs truncated at service:"2 or service_id:"ABC_tcp-Pro fields. Any idea why this is happening? Any configuration which could be impacting this

Sample full log :

1 2021-02-17T22:12:13Z mtest2 CheckPoint 11111 - [action:"Drop"; flags:"400644"; .... outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"11179"; service:"212" session_timeout:"0"; src:"1.2.3.4"; status:"Failure"; suppressed_logs:"0"; tunnel_protocol:"IPSec"; user:"ABC"; ]

1 2021-02-17T01:15:22Z mtest2 CheckPoint 11111 - [action:"Drop"; flags:"400644"; .... outzone:"Internal"; product:"VPN-1 & FireWall-1"; proto:"6"; s_port:"22262"; service:"2"; service_id:"IKE_tcp-Protocol"; src:"2.3.4.5"; alert:"alert"; update_count:"964"; ]

Which SIEM platform, also are you working with TAC in parallel?

Just to be 100% clear here. Logs can be truncated

1. on the source log server,
2. during transfer or
3. after being received.

I suggested that you look to the specific logs by the time stamps to make sure those logs are fully showing on the log server. That covers p1.

If no oddities there, run a tcpdump somewhere on the middle and try catching logs during transfer, to cover p.2

If you find an indication of logs being truncated for pp 1 or 2, open a TAC case.

If not, look on the receiving server.

Should be the default in R81 and above. @oomph what version is the management?

Hi @Juan_ its using semi-unified read mode