Forum Discussion

Danny_Arroyo's avatar
Danny_Arroyo
Icon for Cirrus rankCirrus
Nov 08, 2018

HSL Logging with an HA F5 Cluster

I am running a pair of 2000 series F5s in an HA Cluster. They are running v13.1.0.8 (Build 0.0.3). I created a UDP syslog pool (containing our Graylog Servers) and enabled HSL logging. I am having ...
BIG-IP
LTM
security
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Nov 08, 2018

I noticed in the Graylog portal, most of the messages from the F5s (which read "default send string") appear to be from the Monitor that is configured on the syslog pool that I setup. Is there a way to prevent the monitor messages from getting to Graylog?

 

That would need be a configuration option in Graylog to drop those UDP monitor messages.

 

We send them to see if we get an ICMP Unreachable back (indicating a closed port). What happens next (logging or dropping the message) is up to Graylog. You may want to review

 

K6143: UDP health monitor operation

 

to understand how a UDP monitor operates.

 

I notice that in Graylog, I am only receiving logs from one of the F5's. I believe this is because I did not specify a "Local ip" address when configuring the "Remote Logging/Remote Syslog Server List". Based on (https://support.f5.com/csp/article/K13080). However, when I specify a "Local ip - Non HA" (I used the management ip), nothing changed.

 

Can we be clear about the difference between Remote SYSLOG and High Speed Logging.

 

Remote Syslog is logging from syslog (i.e control-plane service logs) to a syslog server.

 

This traffic can be routed through tmm and should use the appropriate non-floating self-IP address as the source, or the management IP address (if the syslog server is on the management network). Some elements of the syslog config are synced config across the device-group, and some (such as the local-ip) are local to the device and need to be configured individually on each member of the device-group after syncing the config.

 

High Speed Logging is data-plane logging from iRules/Logging Profiles/Request Logging Profile. Logs sent to HSL should always remain in tmm (on the data-plane) and should not pass through syslog on the control plane or be written to disk. While you can send this traffic to a syslog server routed via the management network (as above) this is not generally recommended.

 

K50040950: Configuring the BIG-IP system to send high-speed logs through the management interface

 

HSL logs are generated from the Active device/traffic-groups

 

So you need to create the remote syslog destination, sync the config, and then ensure each device is configured with the appropriate local-ip so you can determine which device sent the traffic.