I am trying to find the raw data hitting HEC that results in parser issues. These events are supposedly dropped need to know what exactly in the message is causing it. I have tried enabling debug log for HttpClientRequest, HttpInputEventParser, HttpInputDataHandler, HttpEventCollector, HunkRawdataParser, but none of them are showing the raw data input. Any suggestion on how to find the raw http data hitting HEC?
↧