BIG-IP SysLog appearing in ossec.log
F5 BigIP Syslog Integration: Logs Appearing in ossec.log instead of archives.log with Size Limitation Error Environment Wazuh server F5 BigIP Current Setup F5 BigIP is configured to send logs via syslog since running a Wazuh agent is not possible (BigIP standard practices restrict installing new packages). Issue Description When sending logs from F5 BigIP to Wazuh using syslog: Logs are appearing in ossec.log instead of archives.log as specified in the official documentation The logs are being received in hexadecimal format The logs appear to be incomplete with an error message indicating "to big size above" Current Configurations Wazuh Configuration F5 BigIP Syslog Configuration Expected Behavior Logs should be written to archives.log Logs should be complete and properly decoded No size limitation errors should occur Actual Behavior Logs are being written to ossec.log Logs are in hexadecimal format Receiving error: "to big size above" Logs are incomplete Troubleshooting Steps Attempted Network Connectivity Verification: Performed tcpdump analysis - confirmed packets are being transmitted correctly No network-level issues identified Wazuh Configuration Adjustments: Modified client_buffer settings - no impact on the issue Tested multiple port configurations - issue persists Port Testing: Attempted communication through different ports Issue remained consistent across all port configurations Additional Attempts: Exhausted various other configuration combinations No successful resolution achieved through standard troubleshooting methods Debug Information Decoded Hex Log Sample Additional Notes The incomplete hex format suggests potential issues with message size limitations or parsing Willing to provide additional information or troubleshooting details through a call if needed Questions Is this a known issue with F5 BigIP syslog integration? Are there specific size limitations that need to be configured? Is there a configuration parameter that needs to be modified to direct logs to archives.log?
TCP Rewrite Rule used in Syslog TCP
Hi Dev/Central community! I've a SIEM with two syslog/tcp recievers (Let's name it R1 and R2). I 've created a VS to listen a 514/TCP, recieve the Syslog TCP message and send it to R1. In case R1 is down, the VS will send the Syslog TCP message to R2. As my SIEM assign a tag to each message recieved with the client IP, I need to rewrite the syslog message before send it to the R1 or R2 receivers (because I see the f5 self ip as client IP in the recievers). So, I've writed an iRule to rewrite the header of each syslog message before send it. this is my irule so far: when CLIENT_ACCEPTED { # Tomo la IP del cliente que se conecta al VS / Get the client IP connecting to the VS set ip_original [IP::remote_addr] # Tomo el Payload y la paso al siguiente nivel / Get the tcp payload to send it to Client Data TCP::collect log local0. "Client Accepted from $ip_original" } when CLIENT_DATA { set OrgininalTCPLength [TCP::payload length] # Primer <PRI> del payload / Try to detect <PRI> header in very first payload bytes regsub {^<\d+>} [TCP::payload] "\[\]\[\]\[$ip_original\]\[[clock seconds]\]\[\] " string # CRLF 0d0a \r\n + <PRI> / Look for another syslog message in the same TCP Payload regsub -all {\r\n<\d+>} $string "\r\n\[\]\[\]\[$ip_original\]\[[clock seconds]\]\[\] " string set len [TCP::payload length] TCP::payload replace 0 $len $string set ModifiedTCPLength [TCP::payload length] # Se pasa el Payload al siguiente nivel / Send the modified payload to the next level log local0. "Forwarindg message from $ip_original \t original length: $OrgininalTCPLength \t modified length: $ModifiedTCPLength" TCP::release #Preparo una nueva recoleccion / Get ready for a new collection TCP::collect } The iRule works like a charm, but in some very little times, it seem to doesn't rewrite the message... Any clue/ideas/troubleshooting tips? Regards, Max
