For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

IRONMAN's avatar
IRONMAN
Icon for Cirrostratus rankCirrostratus
Nov 13, 2020
Solved

F5 Sending syslogs with two hostname to remote syslog server

HI All,   we have F5 Device (LTM + AFM), we configured syslog sever splunk via linux syslog server as forwarder. in Linux server each F5 creating two syslog files, only with just host name and a...
AFM
application delivery
BIG-IP
Linux server
log
LTM
security
splunk
syslog
  • IRONMAN's avatar
    IRONMAN
    May 07, 2021

    HI ,

     

    We have solution for this.

     

    https://support.f5.com/csp/article/K76259573

     

    Recommended Actions

     

    Include "options {use_fqdn(yes); keep_hostname(no); };" to syslog configuration :

     

    Use following command in CLI:

     

     tmsh modify sys syslog include "options {use_fqdn(yes); keep_hostname(no); };"

     

     

    F5 has option to mark his host name in (only host name or FQDN name) in syslog message.

     

     

     

jaikumar_f5's avatar
jaikumar_f5
Icon for Noctilucent rankNoctilucent
Nov 16, 2020

From what I can think of, its coming from 2 different source ip's.

One could be your management ip and other your self IP address.

When the traffic comes to the forwarders, it does reverse lookup for the IP and creates the log file respectively.

 

But I dont see a problem on this, its quite common. All you have to do is, work with your splunk team, to index them properly. As long as both the logs source type are same, and indexed to one common indexer, its not a big deal.

 

Else you'll have to make changes on the LTM to force the logs to go out through one interface, either mgmt or tmm. There's KB articles to that.

 

Hope this helps.