Forum Discussion

amelben's avatar
amelben
Icon for Altostratus rankAltostratus
Feb 10, 2025
Solved

CEF logs F5

Hello,   Is it possible to configure F5 appliances (LTM and Big IP DNS) to send logs in CEF format to a remote syslog server? I've configured remote logging, but I haven't found a way to format th...
cef
logs
logstash
remote log
syslog
  • Michael_Saleem's avatar
    Michael_Saleem
    Feb 18, 2025

    Hi,

    After doing further research it looks like the ArcSight log format is only supported for AFM, ASM and SWG logs (and not system logs) which is why you do not see the option (as I assume you do not have any of these modules provisioned on your BIG-IP)

     

    ArcSight logging destination / ArcSight CEF format is only supported for modules AFM, ASM, and SWG components.

    https://my.f5.com/manage/s/article/K000139357

     

    Kind regards,

    Michael

Michael_Saleem's avatar
Michael_Saleem
Icon for MVP rankMVP
Feb 11, 2025

Hi,

This is possible. You will just need to configure it slightly differently using HSL (High Speed Logging).

A high level overview of what you would need to configure:

1) An LTM pool of remote syslog server(s) (e.g. 192.168.1.123:514)

2) A Log Destination referencing the LTM pool (System > Logs > Configuration > Log Destinations > Create)

In the "Type" dropdown menu, select "ArcSight" (which is CEF format)

3) A Log Publisher referencing the Log Destination (System > Logs > Configuration > Log Publishers > Create


More detailed instructions below:

Configuring Remote High-Speed Logging