Forum Discussion
NimbostratusRemote Syslog for ASM
Dear All,
I need to send ASM event log into syslog server. I already make event log profiles for ASM (Security > Event Logs > Logging Profiles), and associate it to virtual server. But the syslog server didn't receive any log from ASM.
My question is:
- Is there any more configuration or any pre-requisite configuration that I need to do other than only making event log profiles and associate this profile into VS?
- If we want to send log into syslog server, what IP did we use? Management IP or self-IP?
Thanks before for your help.
Ahmad
13 Replies
mrshaggy_169440For additional information, I can reach this syslog server from my management IP, and I already try to restart syslog-ng services.
Thanks,
Ahmad
JinshuCirrus
The syslog configuration typically takes management IP address if you havent mention any other address in the source IP details in the remote syslog server configuration.
Also please make sure that you have enabled appropriate logging level for the ASM ( System ›› Logs ›› Configuration ›› Options)
regards, Jinshu
- mrshaggy_169440
Jinshu,
Yes I also had enable ASM minimum logging level into "Information". So the configuration on F5 side is enough right?
For information, the syslog server is Allienvault Syslog. Maybe there were anybody ever do remote logging to alienvault too.
Thanks,
Ahmad
- Jinshu
Hello Ahmad,
I am not sure abot the Alienvault configuration side but for F5 there is no specefic configuration for any vendor SIEM.
Please go through the below link and make sure that you have done everything as needed to log remotely. I assume your version 11.6.0.
Regards, Jinshu
- mrshaggy_169440
Yap,
I already done with the "Setting up remote logging" and "Associating a logging profile with a security policy", but it still not working. I'll ask the allienvault engineer to recheck their configuration.
Thanks Jinshu
- boneyard
MVP
you can also do some tcpdumping to see if syslog traffic leaves the big-ip.
- mrshaggy_169440
Dear Boneyard,
Yes the problem is there is no syslog traffic from F5 to the syslog server when we do tcpdump. If we do ping test, the tcpdump show traffic from and to the syslog server.
Any other idea? I have follow all remote syslog configuration for ASM.
Thanks.. Ahmad
- boneyard
to double check, can you provide a (obfuscated) screenshot of your logging profile
Security ›› Event Logs : Logging Profiles ›› Edit Logging Profile
and a screenshot of your security tab at the virtual server.
If we want to send log into syslog server, what IP did we use? Management IP or self-IP?this might also be your issue, in principle the selfIP is used if you don't create a specific management route. on which interface were you doing the packet capture?
- mrshaggy_169440
This is my logging profile and security tab of my VS.
I'm not doing any additional routing config on F5, but it's only my management IP which can ping to the syslog server. I'm doing packet capture on my management IP.
Thanks before, Ahmad
- boneyard
I'm not doing any additional routing config on F5, but it's only my management IP which can ping to the syslog server. I'm doing packet capture on my management IP.well that is an issue when the actual traffic is coming from the selfIP. can you confirm that is the case by trying a packet capture on the outgoing VLAN interface?
if you want this to work via the management interface you can look into management routes, see this sol:
http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13284.html
