Forum Discussion

mario365_345588's avatar
mario365_345588
Icon for Nimbostratus rankNimbostratus
Jan 04, 2018

Cant collect syslog data on my syslog server

I'm having issues collecting data on a new syslog-ng server I added. I can ping the syslog and the ports I configured for the server are open. The syslog is also collecting messages for 400+ devices on my network. There is no firewall between the F5 & the syslog server and both devices are on my inside network. I made sure my syslog server was not misconfigured & mirrored the configs for my other devices & Load Balancers. I looked at the local syslog messages on the F5 and saw an error & when I researched it on F5 support site it indicates my syslog server port the F5 is trying to send to is unreachable. I know that the port is reachable from the F5 & other devices that are successfully logging. I included the error message below and a screenshot of all my settings on F5. Am I missing something?

 

log message... Suspending write operation because of an I/O error; fd='26', time_reopen='60'

 

  • I also included all F5 IP's on my syslog server to rule out F5 source IP's not getting allowed.

     

  • This should probably be a support case. Having said that, I would take a packet capture at two points, at the BigIP and at the syslog server. You want to see if the traffic is leaving the BigIP and if it's arriving at the syslog server. Be aware that the BigIP may be trying to use the management vs TMM. Depending on your software version, it may do this even if you have it configured to do otherwise.

     

  • Thanks for update. Are packet captures done only through cli? I assume I would need to make a directory, do a tcpdump and use something like WinSCP to download the capture file to my computer?

     

    Is there are any other config changes in F5 needed for this to work?

     

    Are there any docs you could point me to?

     

  • I would suggest using the CLI, yes. Some versions of the BigIP will allow you to run a tcpdump from the web interface, but you have very little control that way. I would suggest the /var/tmp directory which has a fair amount of room on it. I would suggest the following:

     

    tcpdump -s0 -i 0.0:nnn -w /var/tmp/ host

     

    -s0 = don't truncate the packets -i 0.0:nnn = capture on all VLANs and add f5 specific data to the packets (support will want this if you end up opening a case) -w = write to a file, not the screen

     

    If you don't see what you're looking for there you can substitute

     

    tcpdump -s0 -i eth0 -w /var/tmp/ host

     

    Which will capture on the management port. Make sure you replace filename with an actual filename and with the IP you want to watch.

     

  • Could you tell me, If the F5 is sourcing from the management IP instead of the TMM would that still work so long as my syslog server can allow the management IP? Is there a doc that walks me through how to source from the TMM? Im running version 11.5.3 (build 0.0.163)

     

  • Mario, sourcing the data from management is fine, from the BigIP's point of view.