Forum Discussion

igor_'s avatar
igor_
Icon for Cirrus rankCirrus
Jul 19, 2023

F5 remote logging server

Hi all,

I have configured F5 to use a remote log server which is in a different subnet range. Nothing is going into it from F5. Are there some other things that have to be enabled also?

The remote log server is based on Graylog solution.

Looking at this article can someone explain the concept of Default route domain ((Domain 0) or management network)?

https://my.f5.com/manage/s/article/K13080

Does this means that my Graylog server has to be on the same network as F5 

Thanks,

Igor

  • igor_'s avatar
    igor_
    Jul 27, 2023

     Hi,

    We managed to solve the problem by configuring Logging Profile in Security >> Event Logs: Logging Profiles and assigning it to a VS.

    We had to set the Logging Format to CSV, which is a headache for Graylog since you have to create extractors for different field types.

  • Your syslog server can be anywhere. The F5 needs to know how to get there! For syslog traffic, originating from the F5 BIG-IP you can use the MGMT port but if you want to use High Speed Logging (HSL) it would be advantageous to use a TMM port. To accomplish these things, you need to add routes. So the F5 knows where to send the traffic. Then of course you need to make sure your network has the correct permissions (firewall policies) and routes as well.

     

  • I think whisperer is on the right track here.  Can you confirm general network connectivity?  Is there a default route?

    • igor_'s avatar
      igor_
      Icon for Cirrus rankCirrus

      Hi Ben, 

      I can confirm network connectivity.

      What I would like to accomplish is to forward HTTP nd HTTPS request/response access logs from virtual servers, but can't get it to work.

      We have tried configuring HSL but no luck.

      https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-12-0-0/4.html

      Do you have any suggestions?

      I need something similar to the way HAProxy forwards access logs like this:

      <150>1 2023-07-27T12:39:12.294222+02:00 ha-proxy1 haproxy 2017 - - 66.222.89.228:56299 [27/Jul/2023:12:39:12.014] hapeuat~ api/uatapi1 0/0/0/279/279 200 5358 - - --NI 59/59/0/0/0 0/0 "GET /api/v1/content/auto-img/shared/footer.png HTTP/1.1"

  • Hi,

    Thanks so much for the response. I am waiting for my network engineer next week so that I can verify that everything is allowed between networks.

    I will be also looking into configuring HSL. Seems that something wasn't configured properly on F5.