Forum Discussion
NimbostratusLogging AFM rules
Hi,
I am trying to setup logging of firewall rules and encountering problems. The F5 is running v11.3.
The setup I'd like is to have F5 log to remote Splunk server using three different facilities, one for LTM virtual server events, one for system events, and one for firewall rules events.
First problem is that firewall rules only seem to be logged when rule is applied to a virtual server, whereas I would like to log the global rules. When you select a global rule, there doesn't seem to be anyway to associate this to a log profile.
Secondly, for virtual server rules, I can only get it working locally, and not to the high speed remote log server.
Does anyone have working configuration or know of some caveats/limitations around what firewall rules can be logged and where to?
2 Replies
JayP_46820Ok, found one part of problem, is that remote high speed logging does not work through management interfaces: http://support.f5.com/kb/en-us/solutions/public/14000/400/sol14459.html?sr=30986450This is an older thread but I found the solution:
The "global-network" logging profile is used by the Global, Route Domain, SelfIP, and Management Port contexts. You must enable logging (either locally or remotely - it's highly recommended you do remote) and enable logging of specific events (Accept, Drop, etc).
This worked for me sending to a simple syslog server. Play with the format to get specific information you want.
