Forum Discussion
Jason_Antman_40
Nimbostratus
NimbostratusHow to bypass log 1024 byte limit / truncation
I'm trying to log the content of excessively long Cookie HTTP headers, per the instructions in some questions such as:
- https://devcentral.f5.com/questions/logging-http-header-that-is-longer-than-the-maximum-allowed
- https://devcentral.f5.com/questions/problem-with-irule-that-logs-excessive-http-header-lengths
- https://devcentral.f5.com/questions/log-connections-that-exceed-maximum-header-size
All of these are supposed to log the full content of the header - that's the point of them. But the log command goes through the local syslog-ng, and (per https://devcentral.f5.com/wiki/iRules.log.ashx) truncates messages at 1024 bytes.
I found a few mentions that HSL may not have this limitation, but unfortunately my dev/test load balancer is running 9.4.7, so that's not possible. The production boxes are running 10.1.0, but I'm sort of hesitant to make my first use of HSL without testing it in a safe place.
Is there any way to just dump this to disk somewhere, or any other way to bypass syslog?
Can't you install the same version on your test/dev box as what you run in prod?
Ian_McLean_3779Altostratus
Can't you install the same version on your test/dev box as what you run in prod?
Jason_Antman_40I can't seem to accept my own answer, but this is close enough... I just tested it on a less-important VIP on the production box.
- Kevin_Stewart
Employee
Take a look at SOL8306:
http://support.f5.com/kb/en-us/solutions/public/8000/300/sol8306.html?sr=36922430
I believe you do still have to send the logs to a remote Syslog server, but you can do that with the standard log statement.
- Jason_Antman_40
Thanks for the replies.
I ended up being very careful, and setting up HSL on the production load balancer, but tested first with a less-important VIP. It seems to be working fine, and I can get the full 9k+ log messages (I'm sending the data to Logstash. It captures the full message without any problem, though I can't seem to get the formatting right for logstash to parse it as a valid syslog message).
- Dan_Markhasin_1Hi Jason, I'm trying to do the same thing - capture certain transactions via logstash - but I'm running into truncation issues even when using HSL. Can you share the settings you've used on F5 / Logstash to get it working?
