Last Modified: Jun 28, 2025
Affected Product(s):
BIG-IP All
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 17.0.0, 17.0.0.1, 17.0.0.2, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.5.0, 17.5.1
Opened: Mar 28, 2023 Severity: 3-Major
When audit logging is enabled, configuration changes are logged to the /var/log/audit file, however there is a 8K (8192 byte) limit to the size of these messages, meaning that if a larger mcp object is modified, the audit log message related to that change may be truncated. Note that there is a similar, but distinctly different, issue related to audit messages of objects containing carriage returns (typically irules) - see ID842669, which can give the appearance of the log message being truncated earlier than 8192 bytes.
Incomplete audit log messages, potentially making it difficult to retrospectively tell when a configuration change occurred.
Modification or creation of a large mcp object, such as an APM ACL, data-group, or irule.
Create smaller mcp objects that are able to be expressed completely in less than 8192 bytes. For example, consider multiple smaller APM ACL objects, all attached to the same apm policy, rather than one large ACL.
None