LTM Policy don't send to external log server

Question

HiCan someone explain to me, what im doing wrong.I have a policy attached to a Virtual-Server, and it is triggered when a specific URI enters.There are two actions, one that logs a message to local logfile, and another that logs to a remote syslog server.I can see that the actions are triggered because my message is writen to the local log file, but nothing is sent towards my syslog server. I have verified it with TCPDUMP that nothing is leaving the management interface, and I have also tried with different hosts and ports.This is the policy i created.RegardsChristian

paulius · Accepted Answer

CEnroth This might be one of those instances where you try the iRule equivalent and see if it has the same results. If you do have the same result you might have to reach out to F5 TAC to see if it's an unkown bug or possibly a missconfiguration.

paulius · Answer

CEnroth The management interface isn't automatically used for syslog and would be completely dependent on your routing table for your management interface along with the routing table for traffic that the F5 load balances and/or forwards. You can verify what's being used by running the following two commands.
list sys management-route one-linelist net route one-line
The first command will show your statis routes that you have configured for the management interface and the second will be the routes for your general load balanced and/or forwarded traffic on the F5. Please note that the default route on the management interface does not supercede the default route on the routed interfaces of the F5 and the only thing that would supercede it is a specific route on the management interface or if the subnet is directly connected on the management interface. If your F5 is in path it will use whichever interface is closest to the routed destination to communicate with the log server.

cenroth · Answer

PauliusThanks for the information.In this case I use "Route Domains" for all other communications, so "list net route one-line" is empty.Mgmt interface had a "default route", but to be sure that nothing had better route then that I added a /32.Once in a while I get below error message, and initially i thought it was remote syslog server that "rejected" the packages but as I said in before I used TCPDUMP to see if anything exited the Mgmt interface but nothing did.Error in log file:Execution of action 'log write port=514 message= facility=local0 priority=info ip-address=192.168.0.100' failed, error ERR_REJECTIt is possible that packages leaves the loadbalancer on some other interface, but I had TCPDUMP listen on all other interface and did not see udp/514 packages on any of them.And forgot to say that i can&nbsp; PING syslog server from LB, and that package leaves on Mgmt interface./C

cenroth · Answer

PauliusThanks for all input, and i think you are right about routing. And as I use "route domains" then /Common (id = 0) would probably be the one where all messages would be sourced from. But in my case I don't use /Common and there for this route domain has no routes. One can think that the ERR_REJECT message indicates that there is no way out from this vlan/net. But I will do as your suggestion and try a iRule with HSL::send to see if that works.And once again, thanks for the input 😀RegardsChristian

Forum Discussion

LTM Policy don't send to external log server

4 Replies

Recent Discussions

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

Related Content

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

Auditing Security Policy Updates

Minimizing Security Complexity: Managing Distributed WAF Policies

Virtual server security policy

CSV to Address External Datagroup File