Troubleshooting BIG-IP
Common Issues and Solutions
Installation Issues
Issue: Integration fails to install
Solution: Verify Logpoint version compatibility (v6.7.0 or later for Devices, v7.4.0 or later for log source template)
Solution: Check available disk space and system resources
Solution: Ensure proper administrative privileges
Issue: Integration not visible after installation
Solution: Refresh the browser and check under Settings >> System Settings >> Plugins
Solution: Restart Logpoint if necessary
Configuration Issues
Issue: Cannot configure syslog forwarding on BIG-IP device
Solution: Verify you have administrative access to BIG-IP device
Solution: Ensure Logpoint IP address is reachable from BIG-IP device
Solution: Check firewall rules allow syslog traffic (typically UDP port 514)
Solution: Consult F5 BIG-IP documentation for module-specific syslog configuration
Issue: Wrong normalization packages selected
Solution: Verify your BIG-IP modules match the selected normalization packages
Solution: For ASM logs, include LP_BIG-IP ASM packages
Solution: For APM logs, select the appropriate version package (v11_x_x or v12_x_x)
Solution: For Load Balancer logs, select LP_F5 Load Balancer packages
Solution: Multiple packages can be selected for deployments with multiple modules
Issue: Processing policy configuration errors
Solution: Ensure normalization policy is created before processing policy
Solution: Verify BigIPF5CompiledNormalizer is selected in the normalization policy
Solution: Check that routing and enrichment policies are properly configured
Data Ingestion Issues
Issue: No logs being ingested
Solution: Verify BIG-IP device is configured to forward syslog to Logpoint
Solution: Check if syslog service is running on BIG-IP device
Solution: Confirm syslog collector is active in Logpoint
Solution: Test network connectivity from BIG-IP to Logpoint
Issue: Incomplete log ingestion (missing specific module logs)
Solution: Verify syslog forwarding is configured for all BIG-IP modules (ASM, APM, LTM, AFM)
Solution: Check routing criteria configuration - ensure it matches your BIG-IP log structure
Solution: Verify the correct normalization packages are selected for each module
Solution: Monitor collector logs for errors or warnings
Issue: Logs not normalized correctly
Solution: Verify BigIPF5CompiledNormalizer is selected in normalization policy
Solution: Ensure appropriate normalization packages are included for your BIG-IP modules
Solution: Check log format matches expected format (standard syslog, CEF, or key-value pairs)
Solution: Ensure SyslogParser is selected as the parser
Issue: ASM logs not parsing correctly
Solution: Verify LP_BIG-IP ASM Remote Server Format or LP_BIG-IP ASM Reporting Server Format is selected
Solution: Check if ASM is configured to send logs in the correct format
Solution: Ensure F5ASMCEFCompiledNormalizer or F5ASMNormalizer module is active
Solution: Verify ASM policy is configured to log violations and attacks
Issue: APM logs missing or incomplete
Solution: Select the correct APM normalization package (v11_x_x or v12_x_x) based on your version
Solution: Verify APM access policies are configured to log authentication events
Solution: Check that session logging is enabled in APM
Dashboard and Analytics Issues
Issue: Dashboard widgets not displaying data
Solution: Verify repository selection matches where BIG-IP logs are stored
Solution: Check time range settings on dashboard
Solution: Confirm normalization is working correctly using search query:
col_type IN ["bigip", "f5"]
Issue: Load Balancer v11_6 dashboard showing no authentication data
Solution: Verify APM module is logging authentication events
Solution: Check that user authentication events are being normalized correctly
Solution: Ensure device timezone matches log source timezone
Solution: For "Top 10 User that Doesn't Exist" widget, create REGISTERED_USERS list
Issue: ASM dashboard showing no attack data
Solution: Verify ASM is properly configured and actively blocking/detecting attacks
Solution: Check if ASM security policies are applied to web applications
Solution: Ensure violation logging is enabled in ASM policies
Solution: Verify attack-related fields are being parsed correctly
Issue: Load Balancer v11_4_1 dashboard showing no traffic
Solution: Verify LTM module is configured to log HTTP traffic
Solution: Check that virtual servers are configured with appropriate logging profiles
Solution: Ensure request and response logging is enabled
Solution: Verify traffic is actually flowing through virtual servers
Issue: Missing geolocation data in ASM dashboard
Solution: Verify GeoIP enrichment policy is configured in Logpoint
Solution: Check that source IP addresses are being extracted correctly
Solution: Ensure GeoIP database is up to date in Logpoint
Performance Issues
Issue: Slow query performance
Solution: Optimize queries by adding time range constraints
Solution: Use indexed fields in search queries where possible
Solution: Consider data retention policies to manage repository size
Solution: Filter by specific BIG-IP modules (ASM, APM, LTM) to reduce search scope
Issue: High resource usage
Solution: Monitor syslog collector resource consumption
Solution: Implement log filtering using routing criteria to reduce unnecessary data ingestion
Solution: Monitor and tune normalization policies
Solution: Consider separate repositories for different BIG-IP modules
Issue: High log volume from BIG-IP
Solution: Adjust logging levels on BIG-IP modules to reduce verbosity
Solution: Configure ASM to log only high-severity violations
Solution: Use sampling or rate limiting on BIG-IP if supported
Solution: Implement selective routing criteria to discard low-priority events
Module-Specific Issues
Issue: ASM security policy violations not appearing
Solution: Verify ASM policies are in blocking or transparent mode (not disabled)
Solution: Check that violation logging is enabled in ASM policy settings
Solution: Ensure request logging includes violation details
Solution: Verify security policy is applied to the correct virtual servers
Issue: LTM virtual server metrics missing
Solution: Verify virtual server logging profiles are configured
Solution: Check that request and response logging is enabled
Solution: Ensure virtual server is receiving traffic
Solution: Verify pool member status logging is configured
Issue: APM session tracking incomplete
Solution: Verify APM session logging is enabled
Solution: Check that access policy includes logging actions
Solution: Ensure session timeout settings allow sufficient tracking
Solution: Verify session ID is being normalized correctly
Issue: AFM firewall events not logging
Solution: Verify AFM logging profiles are configured
Solution: Check that firewall rules include logging actions
Solution: Ensure LP_F5 BIG-IP AFM Syslog normalization package is selected
Solution: Verify AFM policies are active and processing traffic
HTTP Status Code Issues
Issue: HTTP status codes not labeled correctly
Solution: Verify LP_F5 Load Balancer v11_4_1 label package is installed
Solution: Check that status_code field is being extracted correctly
Solution: Ensure logs include HTTP response codes
Solution: Verify label mapping for status codes 2xx, 3xx, 4xx, 5xx
Issue: User management events not appearing
Solution: Verify LP_F5 Load Balancer label package is installed
Solution: Check that audit logging is enabled on BIG-IP
Solution: Ensure user management operations (create, modify, delete) are logged
Solution: Verify Command Ok status is present in user management logs
Content Type and User Agent Issues
Issue: Content type filtering not working
Solution: Verify content_type field is being extracted from logs
Solution: Check that HTTP headers include Content-Type information
Solution: Ensure LTM logging includes HTTP header details
Issue: User agent tracking incomplete
Solution: Verify User-Agent header is being logged by BIG-IP
Solution: Check that user_agent field is being normalized correctly
Solution: Ensure HTTP request logging includes full headers
Solution: Verify user agent parsing is working for mobile and desktop browsers
Attack Detection and Threat Intelligence Issues
Issue: Malware detections not appearing in ASM dashboard
Solution: Verify ASM anti-malware protection is enabled
Solution: Check that malware scanning is configured in security policies
Solution: Ensure virus_name field is being parsed correctly
Solution: Verify malware signatures are up to date on BIG-IP ASM
Issue: Geographic attack distribution showing "N/A"
Solution: Verify GeoIP enrichment is configured in Logpoint
Solution: Check that geo_location field contains valid country codes
Solution: Ensure source IP addresses are public (not RFC 1918 private IPs)
Solution: Update GeoIP database in Logpoint
Issue: Attack types not categorized correctly
Solution: Verify attack_type field is being extracted correctly
Solution: Check ASM signature database is current
Solution: Ensure security policies include appropriate attack signatures
Solution: Verify threat classification is working in ASM
Virtual Server and Load Balancing Issues
Issue: Virtual server names not appearing correctly
Solution: Verify VS_NAME or virtual_server field is being extracted
Solution: Check BIG-IP naming conventions and partition structure
Solution: Ensure virtual server logs include full partition path
Solution: Verify normalization correctly handles partition/folder structure
Issue: Pool member status not tracking
Solution: Verify pool monitoring is configured on BIG-IP
Solution: Check that pool member state changes are logged
Solution: Ensure health monitoring logs are being forwarded
Solution: Verify server_address field is being normalized correctly
Issue: Load balancing distribution metrics unavailable
Solution: Verify LTM statistics logging is enabled
Solution: Check that connection and request counts are logged
Solution: Ensure load balancing algorithms include logging
Solution: Verify pool member traffic distribution is being tracked
Last updated
Was this helpful?