Limitations of the HTTP Data Collector API (4368933)

The data posted to the Azure Monitor Data collection API is subject to certain constraints. You may experience two of these Constraints when using Change Auditor:

1. Maximum of 30 MB per post to Azure Monitor Data Collector API. This is a size limit for a single post. If the data from a single post exceeds 30 MB, the batch will fail to send and an error similar to the following will be logged in the Coordinator log:
   • ID: 1763
     Time: 4/22/22 15:25:07.705
     Level: ERROR
     Thread: 53
     Logger: Quest.ChangeAuditor.WebServices.EventForwarderController
     File:
     Function:
     Quest.ChangeAuditor.WebServices.SentinelRequestManager+<SendRequest>d__13.MoveNext
     Line: 0
     Message: Event data size 53605503 exceeds Sentinel maximum message size 29360128 in 6500 event batch
2. Maximum of 32 KB for field values. If the field value is greater than 32 KB, the data will be truncated. The truncated data is lost and an error similar to the following is logged in the Coordinator log:
   • ID: 1262
     Time: 4/21/22 11:41:01.216
     Level: ERROR
     Thread: 61
     Logger: Quest.ChangeAuditor.WebServices.EventForwarderController
     File:
     Function: Quest.ChangeAuditor.WebServices.SentinelRequestManager.SetData
     Line: 0
     Message: <log4net.Error>Exception during StringFormat: Input string was not in a correct format. <format>ERROR: Change Auditor audit event column '{0}' value length {1} exceeds Sentinel maximum column field length {2}}.</format><args>{to, 185892, 32768}</args></log4net.Error>

Note: A warning may also be seen in the Log Analytics Workspace Insights stating something similar to: “The following fields: values to of type ChangeAuditor have been trimmed to the max allowed size”

Note: When these error are logged, the data is lost.

For full list of the HTTP Data Collector API limitations please see the following Microsoft article:
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api#data-limits

Also, for a general Sentinel API overview please see the following Microsoft article:
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-sentinel-api-101/ba-p/1438928

This affects Change Auditor 7.3 and later

WORKAROUND:

None

STATUS:

There is currently no method to correct this behavior due to the limitations of Microsoft’s API.