How to bypass log 1024 byte limit / truncation

Question

I'm trying to log the content of excessively long Cookie HTTP headers, per the instructions in some questions such as:&nbsp;
https://devcentral.f5.com/questions/logging-http-header-that-is-longer-than-the-maximum-allowedhttps://devcentral.f5.com/questions/problem-with-irule-that-logs-excessive-http-header-lengthshttps://devcentral.f5.com/questions/log-connections-that-exceed-maximum-header-size
All of these are supposed to log the full content of the header - that's the point of them. But the log command goes through the local syslog-ng, and (per https://devcentral.f5.com/wiki/iRules.log.ashx) truncates messages at 1024 bytes.&nbsp;
I found a few mentions that HSL may not have this limitation, but unfortunately my dev/test load balancer is running 9.4.7, so that's not possible. The production boxes are running 10.1.0, but I'm sort of hesitant to make my first use of HSL without testing it in a safe place.&nbsp;
Is there any way to just dump this to disk somewhere, or any other way to bypass syslog?&nbsp;

ian_mclean_3779 · Accepted Answer

Can't you install the same version on your test/dev box as what you run in prod?&nbsp;

kevin_stewart · Answer

Take a look at SOL8306:&nbsp;
http://support.f5.com/kb/en-us/solutions/public/8000/300/sol8306.html?sr=36922430&nbsp;
I believe you do still have to send the logs to a remote Syslog server, but you can do that with the standard log statement.&nbsp;

jason_antman_40 · Answer

Thanks for the replies.&nbsp;
I ended up being very careful, and setting up HSL on the production load balancer, but tested first with a less-important VIP. It seems to be working fine, and I can get the full 9k+ log messages (I'm sending the data to Logstash. It captures the full message without any problem, though I can't seem to get the formatting right for logstash to parse it as a valid syslog message).&nbsp;

jason_antman_40 · Answer

I can't seem to accept my own answer, but this is close enough... I just tested it on a less-important VIP on the production box.

dan_markhasin_1 · Answer

Hi Jason,

I'm trying to do the same thing - capture certain transactions via logstash - but I'm running into truncation issues even when using HSL.

Can you share the settings you've used on F5 / Logstash to get it working?

Forum Discussion

How to bypass log 1024 byte limit / truncation

5 Replies

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

Bypass certificate check

Bypass WAF for X-forwarder IP in XC

MSM Bypass

Introduction to F5 Distributed Cloud Console Rate Limiting Feature

Bypassing ASM on HTTP response