we are currently exporting logs and telemetry data to an elasticsearch, we already configured the telemetry stream and the consumers, and we started to play with the HTTP Analytics profiles and started to apply to our virtual servers, everything is working fine, but when we started to pay with the Capture filter and put the filter to catpure all of the request details and response details, we received some incomplete Bodys, everything is reaching fine, on the elastic side we see that everything except the request body is fine.
on the request Body we started to detect that the body is incomplete, for example on some request bodys we see an xml, and this xml has missing part of it (lets say that is half of it, how we know that, is because we dont se the closing tags of that request) we are thinking that maybe is some limitations on the max size for logging on the request body or response body, because it appears it has a max limit of bytes, every other fields are ok, headers, status, referers, etc.
the configuration of this profile is something like this:
HTTP Analytics Profile ---> Remot Publisher Fomatter (Splunk) ----> Remote Publisher TCP (HSL) --->Telemetry stream pool (255.255.255.254:6514 where the listener of telemetry stream is mounted) ---> Consumer (Logstash HTTP Endpoint who has support of 100MB size of request as default)
we discarded is maybe something to do with an udp, because we are using tcp in HSL, and if that was the case we think we will receive a malformed package, but instead we just got an incomplete field, "the body".
Has anyone had some idea why the body is incomplete or maybe it has to be that way.?
@Requium I know that when the F5 performs HTTP/S health monitors it only reads up to a certain point of the body and then does nothing beyond that so this could be a similar limitation but I am not 100% that that is what you are experiencing here with logging.
yeah thats exactly what im experiencing, i just see a portion of the body on the logging, i was expecting to see the whole body, the body is a large XML request, maybe thats why it cut it off, but is there a way to see the whole request, even if is it a larger one?
@Requium I am unaware of how to do this but hopefully someone else comes along that knows more than I do about this logging.
Any luck with your investigation? If no, I'll see if I can find an F5er to jump in, like maybe @JRahm
Nope, didnt have any luck on this, Thanks Leslie it will be great !