Forum Discussion
NimbostratusSend only Audit logs to remote syslog
Hi,
we have a qradar server where we will send the F5 logs to it. We only want the Audit logs to be sent to qRadar.
How can I filter what type of logs I sent to the remote syslog server (qradar), so we only send Audit logs to it.
Thanks a lot.
SANTS.
6 Replies
- JRahm
Admin
Hi SANTS, in 11.6 (and earlier, though I don't know specifically which version it was introduced) you can create log filters, destinations, and publishers right in the GUI.
1st step: system->logs->configuration->log destination 2nd step: system->logs->configuration->log publisher 3rd step: system->logs->configuration->log filters
If on earlier systems, you can configure in tmsh/syslogd as well (good info in this article)
SANTS_boy_18328Thanks a lot Jason. I am forced to use High-speed logging? (So I cannot use the management interface to send logging traffic?)?
thanks.
Regards,
SANTS
- SANTS_boy_18328
Thanks Jason, but when you press remote syslog, you are forced to put the High Speed Syslog afterwards.
How can I over pass this?
thanks.
SANTS
- JRahmRight..but that just means you are using HSL under the hood of BIG-IP, if you select syslog formatting, it won't just be the RAW format typical of HSL. All that's required for that is to define a pool (can be one member->your syslog server) and then select it as your destination
- SANTS_boy_18328yes I will use a pool of 1 server. My question is then, I can send the traffic through the management interface or I am forced to use a data interface? thanks a lot. SANTS
- SANTS_boy_18328
