syslog
63 TopicsBIG-IP SysLog appearing in ossec.log
F5 BigIP Syslog Integration: Logs Appearing in ossec.log instead of archives.log with Size Limitation Error Environment Wazuh server F5 BigIP Current Setup F5 BigIP is configured to send logs via syslog since running a Wazuh agent is not possible (BigIP standard practices restrict installing new packages). Issue Description When sending logs from F5 BigIP to Wazuh using syslog: Logs are appearing in ossec.log instead of archives.log as specified in the official documentation The logs are being received in hexadecimal format The logs appear to be incomplete with an error message indicating "to big size above" Current Configurations Wazuh Configuration F5 BigIP Syslog Configuration Expected Behavior Logs should be written to archives.log Logs should be complete and properly decoded No size limitation errors should occur Actual Behavior Logs are being written to ossec.log Logs are in hexadecimal format Receiving error: "to big size above" Logs are incomplete Troubleshooting Steps Attempted Network Connectivity Verification: Performed tcpdump analysis - confirmed packets are being transmitted correctly No network-level issues identified Wazuh Configuration Adjustments: Modified client_buffer settings - no impact on the issue Tested multiple port configurations - issue persists Port Testing: Attempted communication through different ports Issue remained consistent across all port configurations Additional Attempts: Exhausted various other configuration combinations No successful resolution achieved through standard troubleshooting methods Debug Information Decoded Hex Log Sample Additional Notes The incomplete hex format suggests potential issues with message size limitations or parsing Willing to provide additional information or troubleshooting details through a call if needed Questions Is this a known issue with F5 BigIP syslog integration? Are there specific size limitations that need to be configured? Is there a configuration parameter that needs to be modified to direct logs to archives.log?98Views1like1CommentF5 APM Syslog-NG parser
Hello everybody, I use the VPN big-ip Edge client F5 and I would like to generate a log with all theses session variables "session.ldap.last.attr.userPrincipalName + session.check_machinecert.last.cert.subject + session.assigned.clientip". My problem is that the "session.assigned.clientip" isn't populate in the session variable so I can't use a log message to make a custom log with all of theses values. So my question is , is it possible to parse theses logs with syslog-ng and concatenate all the syslog trame with the session ID ? and forward the log concatenated to an another syslog instance ? Don't know if my question is very undertandable ? Regards, Miguel52Views0likes0CommentsNeed help on syslog cli configuration
Hello team , I have to correct the syslog config with below commands , will there be any impact of running the below commands , Which list commad I can run to perform pre-checks and how to confirm if the configuration working correctly post implementation ? what is the use of both the commands ? tmsh modify sys syslog {include "destination remote_server {tcp(10.10.10.8 port (1528));};filter f_alllogs {level (debug...emerg);};log {source(local);filter(f_alllogs);destination(remote_server);};options {use_fqdn(yes); keep_hostname(yes);};" tmsh modify sys syslog {remote-servers replace-all-with {remotesyslog1 {host 10.1.20.1 local-ip 192.168.101.1 remote-port 5528} remotesyslog2 {host 10.2.20.1 local-ip 192.168.101.1??? remote-port 5528}}}250Views0likes3CommentsCan BIG-IQ forward ASM event log which receive from BIG-IP to syslog server?
Hi Right now we have all BIG-IP send ASM event log to BIG-IQ. Question is Can BIG-IQ forward ASM event log which receive from BIG-IP to syslog server? or I need to config on each BIG-IP to send ASM event log to both (BIG-IQ and syslog server) instead.356Views0likes1CommentiRule to send syslog messages to a remote server over TCP instead of UDP?
Hi all! Do you konw if it is possilbe to send syslog messages from an iRule to a remote syslog server over TCP instead of UDP protocol? The goal is to be able to send longer/larger syslog messages. Thanks!412Views0likes2CommentsLogging all AFM Rules
Hello, I have multiple AFM rules, more than 300 distributed in multiple "rule-lists". Some have the "logging" option enabled and others do not. I need to enable the "logging" option for all partition rules, is there a method for this? Or some script? Thank youSolved777Views0likes3CommentsiRule to log HTTP Request
Hello, I have two F5 Big-IP: 1 * BIG-IP 11.4.1 Build 647.0 Hotfix HF4 1 * BIG-IP 10.2.4 Build 817.0 Hotfix HF7 I want to setup logging for HTTP traffic. On the first F5 (11.4), no problem. I have created a request logging profile with this template: $DATE_NCSA client=$CLIENT_IP:$CLIENT_PORT request=$HTTP_REQUEST virtual-server=$VIRTUAL_NAME($VIRTUAL_IP:$VIRTUAL_PORT) member=$SERVER_IP:$SERVER_PORT On the second F5 (10.2), it is more complicated since the "Request logging profile" does not exist.. And i can't upgrade the device. I decided to create an iRule which produce a log with the same format (HTTP request).. But i don't know how to do.. Especially to generate "$DATE_NCSA" through the irule. Any help would be very appreciated ! 🙂 Thanks PS: please excuse my english 🐵693Views0likes5CommentsLog the count of the STREAM hits
I'm trying to figure out how it will be possible, how many times a STREAM::expression is being executed. when HTTP_RESPONSE { if { $http_host equals "avv.com" or $http_host equals "acc.com" }{ STREAM::expression "@aa@bb@" STREAM::expression "@rr@ff" STREAM::expression "@gg@qaqa@" STREAM::enable log local0. "RESPONSE: $http_host to IP: [IP::client_addr]" } } So in the log i want to see like: Total STREAM hit 80 (40aa - 20rr - 20gg)233Views0likes1CommentPool status in Splunk for F5 Networks
Hi all, I made some tests on Splunk with the 11.5.0 TMOS version. My tests were on AFM, LTM and also syslog events. LTM (with the iRule included) and AFM work fine, but for syslog events there's something wrong. If you want to have your pool status statistics on your Splunk, you have to parse syslog events. But those events have changed with the 11.5.0 version so here is the newest regex you'll need. /\]:\s(........:.):\sPool\s(\S+)\smember\s(\S+)\smonitor\sstatus\s(\S+)\.\s?\[?\s?(?:\S+)?\:?\s?(?:\S+)?\s?\]?\s+?\[\swas\s(\S+)\sfor\s(\S+)/ This regex goes to /opt/splunk/etc/apps/SplunkforF5Networks/default/transforms.conf under [f5-syslog-eventcode] I still have something missing into my Splunk configuration because I don't have all my pool status. If anybody has already play with it, could you tell me where I'm wrong ? Thanks.471Views0likes2Comments