Nimbostratus

Dec 30, 2024

BIG-IP SysLog appearing in ossec.log

F5 BigIP Syslog Integration: Logs Appearing in ossec.log instead of archives.log with Size Limitation Error

Environment

Wazuh server
F5 BigIP

Current Setup

F5 BigIP is configured to send logs via syslog since running a Wazuh agent is not possible (BigIP standard practices restrict installing new packages).

Issue Description

When sending logs from F5 BigIP to Wazuh using syslog:

Logs are appearing in ossec.log instead of archives.log as specified in the official documentation
The logs are being received in hexadecimal format
The logs appear to be incomplete with an error message indicating "to big size above"

Current Configurations

Wazuh Configuration

F5 BigIP Syslog Configuration

Expected Behavior

Logs should be written to archives.log
Logs should be complete and properly decoded
No size limitation errors should occur

Actual Behavior

Logs are being written to ossec.log
Logs are in hexadecimal format
Receiving error: "to big size above"
Logs are incomplete

Troubleshooting Steps Attempted

Network Connectivity Verification:
- Performed tcpdump analysis - confirmed packets are being transmitted correctly
- No network-level issues identified
Wazuh Configuration Adjustments:
- Modified client_buffer settings - no impact on the issue
- Tested multiple port configurations - issue persists
Port Testing:
- Attempted communication through different ports
- Issue remained consistent across all port configurations
Additional Attempts:
- Exhausted various other configuration combinations
- No successful resolution achieved through standard troubleshooting methods

Debug Information

Decoded Hex Log Sample

Additional Notes

The incomplete hex format suggests potential issues with message size limitations or parsing
Willing to provide additional information or troubleshooting details through a call if needed

Questions

Is this a known issue with F5 BigIP syslog integration?
Are there specific size limitations that need to be configured?
Is there a configuration parameter that needs to be modified to direct logs to archives.log?

Forum Discussion

BIG-IP SysLog appearing in ossec.log

Environment

Current Setup

Issue Description

Current Configurations

Wazuh Configuration

F5 BigIP Syslog Configuration

Expected Behavior

Actual Behavior

Troubleshooting Steps Attempted

Debug Information

Decoded Hex Log Sample

Additional Notes

Questions

Recent Discussions

how to whitelist new source IP on F5 web UI access

F5 to read a combined CRL file

Upgrade F5 BIGIP

ISP Load Balancing, SNAT pool instead of Automap link self-ip, anyway to do health check ?

MAC address of deleted VS IP address still responsive

Related Content

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

Re: Welcome to the F5 BIG-IP Migration Assistant

Arabic Blackboard F5 series [what is Big-IP]

Re: Mitigating OWASP API Security Top 10 - 2019 risks using BIG-IP

Ansible module to update BIG-IP root/admin passwords

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS