For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Racharla_Chandr's avatar
Racharla_Chandr
Icon for Nimbostratus rankNimbostratus
Aug 05, 2015

Configured syslog don't know how to verify

Hi All,

 

Here is the configuration:

 

bp>syslog remote server list all syslog { remote server ftd-backup01.hyd.ftd.com { host 10.100.10.100 local ip none remote port 514 } } bp>

 

On this syslog server:10.100.10.100 I'm not seeing any logs getting captured. How shall i troubleshoot this issue?

 

Thanks for any inputs in advance.

 

Regards,

 

Chandu

 

2 Replies

  • Vsevolod_Petrov's avatar
    Vsevolod_Petrov
    Icon for Cirrostratus rankCirrostratus
    Aug 05, 2015

    Hi,

     

    Are you running TMOS 10.x and is this bigpipe syntax?

     

    If so, you can check if the syslog server is available via mgmt interface or selfip.

     

    And you can also run tcpdump -s0 -nni0.0 port 514 and host 10.100.10.100 to see if there any packet.

     

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Aug 05, 2015

    Hi!

    You could try tcpdump:

    tcpdump -nni any udp and host 10.100.10.100

    See if you get any hits.

    We configure our syslog through tmsh like this, perhaps you can try these lines?

    tmsh modify /sys syslog remote-servers none
tmsh modify sys syslog include "filter f_remote_loghost { facility (auth,local0) and level (debug...emerg);}; destination d_remote_loghost { udp(\"10.100.10.100\" port(514));};log {source(s_syslog_pipe);filter(f_remote_loghost);destination(d_remote_loghost);};"

    Also, please look in the firewalls of dropped packets heading for the syslog server.

    /Patrik