Forum Discussion

IRONMAN's avatar
IRONMAN
Icon for Cirrostratus rankCirrostratus
Nov 13, 2020

F5 Sending syslogs with two hostname to remote syslog server

HI All,

 

we have F5 Device (LTM + AFM), we configured syslog sever splunk via linux syslog server as forwarder.

in Linux server each F5 creating two syslog files, only with just host name and another one is FQDN name.

Both are different logs , not duplicate .

I am not sure, where to merge it or make it single, any one guide me please!

 

  • HI ,

     

    We have solution for this.

     

    https://support.f5.com/csp/article/K76259573

     

    Recommended Actions

     

    Include "options {use_fqdn(yes); keep_hostname(no); };" to syslog configuration :

     

    Use following command in CLI:

     

     tmsh modify sys syslog include "options {use_fqdn(yes); keep_hostname(no); };"

     

     

    F5 has option to mark his host name in (only host name or FQDN name) in syslog message.

     

     

     

  • From what I can think of, its coming from 2 different source ip's.

    One could be your management ip and other your self IP address.

    When the traffic comes to the forwarders, it does reverse lookup for the IP and creates the log file respectively.

     

    But I dont see a problem on this, its quite common. All you have to do is, work with your splunk team, to index them properly. As long as both the logs source type are same, and indexed to one common indexer, its not a big deal.

     

    Else you'll have to make changes on the LTM to force the logs to go out through one interface, either mgmt or tmm. There's KB articles to that.

     

    Hope this helps.

  • HI ,

     

    We have solution for this.

     

    https://support.f5.com/csp/article/K76259573

     

    Recommended Actions

     

    Include "options {use_fqdn(yes); keep_hostname(no); };" to syslog configuration :

     

    Use following command in CLI:

     

     tmsh modify sys syslog include "options {use_fqdn(yes); keep_hostname(no); };"

     

     

    F5 has option to mark his host name in (only host name or FQDN name) in syslog message.