Forum Discussion
rglus6970_30822
Nimbostratus
NimbostratusRequest Logging/Log Publisher
I am having a real difficult time grasping the relationship between a log publisher, a formatted log destination and an unformatted destination. All the F5 information I can find on log publishers only gives a simple 1 sentence explanation to what a log publisher does. Is it the log publisher that formats the data into Splunk format (json) and then sends it to a formatted log destination (virtual server for Splunk) which then sends it to unformatted high speed log destination (virtual server for Splunk) wich then load-balances it to the actual splunk servers. I just don't get what is happening between the publisher, the formatted log destination and the unformatted log destination and I cannot find any expanded information on what is actually happening. I can only find 1 sentence explanations and configuration instructions. The following link has a diagram of the publisher. If anyone can explain this or point me to detailed documentation on this subject, that would be great. https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-12-0-0/4.html
rglus6970_30822- rglus6970_30822
Here is the diagram I was referencing
I_R_101_110Cirrus
I felt the page below gave good relevant information though the inner machinations you may be looking for are not explained in detail. I would assume the internal flow is similar to the diagram you posted. The unformatted/formatted logging destinations is a confusing concept for me as well but I just chalk it up to something that is likely simple code behind the hood but convoluted in the config/GUI. Regardless, this excerpt was helpful in giving me enough information to complete my configurations.
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-concepts-11-4-0/11.html
For an example of configuring remote, high-speed logging, suppose you want to send all Protocol Security messages to a group of remote ArcSight servers. In this case, you would create:
For an example of configuring remote, high-speed logging, suppose you want to send all Protocol Security messages to a group of remote ArcSight servers. In this case, you would create:
- A load balancing pool for the ArcSight logging servers.
- An unformatted Remote High-Speed Log destination that references the pool of ArcSight logging servers.
- A formatted ArcSight log destination that references an unformatted log destination.
- A publisher that references the formatted and unformatted log destinations.
- A Protocol Security logging profile that references the publisher.An LTM virtual server or GTM listener that references the logging profile and the load balancing
I hope this helps.
Kind regards,
Nicolas