Forum Discussion
I noticed in the Graylog portal, most of the messages from the F5s (which read "default send string") appear to be from the Monitor that is configured on the syslog pool that I setup. Is there a way to prevent the monitor messages from getting to Graylog?
That would need be a configuration option in Graylog to drop those UDP monitor messages.
We send them to see if we get an ICMP Unreachable back (indicating a closed port). What happens next (logging or dropping the message) is up to Graylog. You may want to review
K6143: UDP health monitor operation
to understand how a UDP monitor operates.
I notice that in Graylog, I am only receiving logs from one of the F5's. I believe this is because I did not specify a "Local ip" address when configuring the "Remote Logging/Remote Syslog Server List". Based on (https://support.f5.com/csp/article/K13080). However, when I specify a "Local ip - Non HA" (I used the management ip), nothing changed.
Can we be clear about the difference between Remote SYSLOG and High Speed Logging.
Remote Syslog is logging from syslog (i.e control-plane service logs) to a syslog server.
This traffic can be routed through tmm and should use the appropriate non-floating self-IP address as the source, or the management IP address (if the syslog server is on the management network). Some elements of the syslog config are synced config across the device-group, and some (such as the local-ip) are local to the device and need to be configured individually on each member of the device-group after syncing the config.
High Speed Logging is data-plane logging from iRules/Logging Profiles/Request Logging Profile. Logs sent to HSL should always remain in tmm (on the data-plane) and should not pass through syslog on the control plane or be written to disk. While you can send this traffic to a syslog server routed via the management network (as above) this is not generally recommended.
K50040950: Configuring the BIG-IP system to send high-speed logs through the management interface
HSL logs are generated from the Active device/traffic-groups
So you need to create the remote syslog destination, sync the config, and then ensure each device is configured with the appropriate local-ip so you can determine which device sent the traffic.