Forum Discussion

Felkor_29336's avatar
Icon for Nimbostratus rankNimbostratus
Apr 12, 2012

Syslog & Source IP on cluster




I encounter a bug with the syslog-ng process : there was no syslog trafic initiated by the F5 on the remote syslog server after a reboot of the BIGIP.


This was in fact related to a known issue : see :




This is the result of a known issue. The BIG-IP system does not force daemons to use the configured management port address. As a result, the traffic may not use the intended source address or route when sending unsolicited outbound traffic. (...) Processes, such as ntpd, which do not allow the address to be specified may not consistently use the intended address or route, and communication for the service provided by the process may be interrupted at system startup or upon subsequent restarts of the process.




The workaround :




- For ntpd, be sure that a management route is configured for the syslog serve (hosted an another VLAN)




=> A management route was set for the syslog (the syslog server is on anoter VLAN) but this doesn't impact the behaviour. I check, there is not other route for this subnet on the TMM routes.




- For syslog-ng, configure a source IP to be sure that the preocess will be using the intended source IP.




=> I try to configure a Source IP for the syslog (cf Works fine, even after reboot/restart.






But there is another issue, related to this workaround : the Source IP for the syslog is saved on the bigip_sys.conf file, and this file is synchronized between the two members of the cluster.


So the 2 BIGIP are using the same Source IP Address to perform the log on the syslog. We can still saw which bigip is performing the logs (we saw the hostname on the syslog) however this is not the best way.




Someone had the same issue before ? If yes, do you find a workaround on the F5 to avoid this issue ?






Thank you for your help :)




Kind regards,






7 Replies

  • But there is another issue, related to this workaround : the Source IP for the syslog is saved on the bigip_sys.conf filewhat version are you running? mine is 10.2.3 and syslog include is saved in bigip_base.conf.
  • Interesting !



    I performed some test in lab with a v10.1.0 (VM).


    However, the issue happened on other devices (10.2.0 HF2 and 10.2.1 HF3) with the same behaviour.



    When performing the configuration of the syslog with the bigpipe command, the configuration is saved on the bigip_sys file. I try to delete the configuration from this file, and paste it on the bigip_base.conf, but it doesn't work.


    The configuration was loaded without issue, but there was no syslog trafic generated by the F5 (I check this with some tcpdumps).



  • it is changed in 10.2.2 (file which syslog configuration will be stored).






    Command: bigpipe syslog


    UNIX Configuration File: /var/run/config/syslog-ng.conf


    Symlink File: /etc/syslog-ng/syslog-ng.conf


    BIG-IP System File: /config/bigip_base.conf (version 10.2.2 and later only*)


    /config/bigip_sys.conf (All versions)



    *Note: For details, refer to sol13107: Change in Behavior: The syslog-ng local ip setting is now saved in the bigip_base.conf filesol8436: Overview of UNIX configuration files

  • Thanks for pointing that out Nitass. That's news to me too.



  • The support give me an other solution, otherwise to perform the upgrade : it is to modify the behaviour of the configuration file of the F5.


    A little procedure here, this could maybe help !



    1. Mount the usr partition in rw



    mount -o remount,ro /usr



    2. Backup and modify the config_base.conf file


    Basically, this file determines all attributes of all objects of the configuration, which one are or not sync, etc



    cp /usr/share/defaults/config_base.conf /usr/share/defaults/config_base.conf.bak



    Locate the following portion of code in the file :




    config class syslog {


    category "confpp"


    singleton enable


    configsyncd enable


    fields {




    include {


    display "Include Data"


    type string


    appdata "unix_config_syslog.replace.include"


    clustered enable


    configsyncd enable








    nested remote_server





    Change configsyncd enable to configsyncd disable.


    Save the modification.



    3. Reload the services in forceload mode



    touch /service/mcpd/forceload bigstart restart




    After that, when you create a syslog server with a localip, the local ip is hosted in the bigip_base.conf, as in the 10.2.2 versions and above !



    Thanks Kevin White from F5 for the tips :)