Forum Discussion

CEnroth's avatar
CEnroth
Icon for Nimbostratus rankNimbostratus
Oct 28, 2023

LTM Policy don't send to external log server

Hi

Can someone explain to me, what im doing wrong.

I have a policy attached to a Virtual-Server, and it is triggered when a specific URI enters.
There are two actions, one that logs a message to local logfile, and another that logs to a remote syslog server.

I can see that the actions are triggered because my message is writen to the local log file, but nothing is sent towards my syslog server. I have verified it with TCPDUMP that nothing is leaving the management interface, and I have also tried with different hosts and ports.

This is the policy i created.

Regards
Christian

  • CEnroth This might be one of those instances where you try the iRule equivalent and see if it has the same results. If you do have the same result you might have to reach out to F5 TAC to see if it's an unkown bug or possibly a missconfiguration.

  • CEnroth The management interface isn't automatically used for syslog and would be completely dependent on your routing table for your management interface along with the routing table for traffic that the F5 load balances and/or forwards. You can verify what's being used by running the following two commands.

    list sys management-route one-line
    list net route one-line

    The first command will show your statis routes that you have configured for the management interface and the second will be the routes for your general load balanced and/or forwarded traffic on the F5. Please note that the default route on the management interface does not supercede the default route on the routed interfaces of the F5 and the only thing that would supercede it is a specific route on the management interface or if the subnet is directly connected on the management interface. If your F5 is in path it will use whichever interface is closest to the routed destination to communicate with the log server.

    • CEnroth's avatar
      CEnroth
      Icon for Nimbostratus rankNimbostratus

      PauliusThanks for the information.
      In this case I use "Route Domains" for all other communications, so "list net route one-line" is empty.
      Mgmt interface had a "default route", but to be sure that nothing had better route then that I added a /32.

      Once in a while I get below error message, and initially i thought it was remote syslog server that "rejected" the packages but as I said in before I used TCPDUMP to see if anything exited the Mgmt interface but nothing did.

      Error in log file:
      Execution of action 'log write port=514 message= facility=local0 priority=info ip-address=192.168.0.100' failed, error ERR_REJECT

      It is possible that packages leaves the loadbalancer on some other interface, but I had TCPDUMP listen on all other interface and did not see udp/514 packages on any of them.

      And forgot to say that i can  PING syslog server from LB, and that package leaves on Mgmt interface.

      /C

      • Paulius's avatar
        Paulius
        Icon for MVP rankMVP

        CEnroth This might be one of those instances where you try the iRule equivalent and see if it has the same results. If you do have the same result you might have to reach out to F5 TAC to see if it's an unkown bug or possibly a missconfiguration.