Forum Discussion

JB_41341's avatar
JB_41341
Icon for Nimbostratus rankNimbostratus
Sep 27, 2012

Forwarding syslog-ng from a specific interface

Hi all,

 

I'm trying to get syslog forwarded from our F5 boxes to a Splunk server for indexing, reporting, and alerting. At the moment, I'm only concentrating on the LTM log. I found an article (that I can't find again for whatever reason) that suggested a config similar to what I have at the end of this post.

 

I set that up, and it appears to be correct (no syslog-ng errors/crashes), but our log server is not receiving the log data. After working with the F5 a little more, I discovered that traffic is by default routed out of our external (web serving) interface. It needs to go out of our mgmt inteface due to network configurations -- the external iface is restricted from the log server via network acls and routing. I don't want to muck with the default routing on the F5 considering that my have additional implications that I don't know of. I verified that with netcat, specifying an address to send on gets to our log server, but when I tried looking online for a method to make syslog-ng connect, I couldn't find anything. Is there a way to specify which IP address or interface syslog-ng should be sending on?

 

-- Config snippet --

 

b syslog include '"

 

 

filter f_local0a {

 

facility(local0);

 

};

 

 

destination d_loghost5a {

 

udp(\"xx.xx.xx.xx\" port (514));

 

};

 

 

log {

 

source(local);

 

filter(f_local0a);

 

destination(d_loghost5a);

 

};

 

 

"'

 

 

  • This article and the links within should get you what you need:

     

     

    http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10239.html