Forum Discussion
AltostratusCEF logs F5
Hello,
Is it possible to configure F5 appliances (LTM and Big IP DNS) to send logs in CEF format to a remote syslog server?
I've configured remote logging, but I haven't found a way to format the logs.
BIG-IP 15.1.2.1 Build 0.0.10 Point Release 1
Thanks in advance
Hi,
After doing further research it looks like the ArcSight log format is only supported for AFM, ASM and SWG logs (and not system logs) which is why you do not see the option (as I assume you do not have any of these modules provisioned on your BIG-IP)ArcSight logging destination / ArcSight CEF format is only supported for modules AFM, ASM, and SWG components.
Kind regards,
Michael
Hi,
This is possible. You will just need to configure it slightly differently using HSL (High Speed Logging).
A high level overview of what you would need to configure:
1) An LTM pool of remote syslog server(s) (e.g. 192.168.1.123:514)2) A Log Destination referencing the LTM pool (System > Logs > Configuration > Log Destinations > Create)
In the "Type" dropdown menu, select "ArcSight" (which is CEF format)
3) A Log Publisher referencing the Log Destination (System > Logs > Configuration > Log Publishers > Create
More detailed instructions below:
amelbenHello,
Thank you. I have tried to configure it this way but ArcSight log type is not available on my dropdown menu. I am on version 15.1.2.1, do you have any idea if F5 no longer supports Arcsight logs?
Thanks again
Hi,
That's interesting. My lab BIG-IP is on 17.1.2.1 and I can see the Arcsight option. Below is a screenshot:
What options do you see?- amelben
Hi,
These are the only options i have :
