For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Felkor_29336's avatar
Felkor_29336
Icon for Nimbostratus rankNimbostratus
Apr 12, 2012

Syslog & Source IP on cluster

Hello,

 

 

I encounter a bug with the syslog-ng process : there was no syslog trafic initiated by the F5 on the remote syslog server after a reboot of the BIGIP.

 

This was in fact related to a known issue : see http://support.f5.com/kb/en-us/solu...10239.html :

 

 

 

This is the result of a known issue. The BIG-IP system does not force daemons to use the configured management port address. As a result, the traffic may not use the intended source address or route when sending unsolicited outbound traffic. (...) Processes, such as ntpd, which do not allow the address to be specified may not consistently use the intended address or route, and communication for the service provided by the process may be interrupted at system startup or upon subsequent restarts of the process.

 

 

 

The workaround :

 

 

 

- For ntpd, be sure that a management route is configured for the syslog serve (hosted an another VLAN)

 

 

 

=> A management route was set for the syslog (the syslog server is on anoter VLAN) but this doesn't impact the behaviour. I check, there is not other route for this subnet on the TMM routes.

 

 

 

- For syslog-ng, configure a source IP to be sure that the preocess will be using the intended source IP.

 

 

 

=> I try to configure a Source IP for the syslog (cf http://support.f5.com/kb/en-us/solu...12080.html) Works fine, even after reboot/restart.

 

 

 

 

 

But there is another issue, related to this workaround : the Source IP for the syslog is saved on the bigip_sys.conf file, and this file is synchronized between the two members of the cluster.

 

So the 2 BIGIP are using the same Source IP Address to perform the log on the syslog. We can still saw which bigip is performing the logs (we saw the hostname on the syslog) however this is not the best way.

 

 

 

Someone had the same issue before ? If yes, do you find a workaround on the F5 to avoid this issue ?

 

 

 

 

 

Thank you for your help :)

 

 

 

Kind regards,

 

 

 

 

 

management
monitoring

7 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 12, 2012
    But there is another issue, related to this workaround : the Source IP for the syslog is saved on the bigip_sys.conf filewhat version are you running? mine is 10.2.3 and syslog include is saved in bigip_base.conf.
  • Felkor_29336's avatar
    Felkor_29336
    Icon for Nimbostratus rankNimbostratus
    Apr 12, 2012
    Interesting !

     

     

    I performed some test in lab with a v10.1.0 (VM).

     

    However, the issue happened on other devices (10.2.0 HF2 and 10.2.1 HF3) with the same behaviour.

     

     

    When performing the configuration of the syslog with the bigpipe command, the configuration is saved on the bigip_sys file. I try to delete the configuration from this file, and paste it on the bigip_base.conf, but it doesn't work.

     

    The configuration was loaded without issue, but there was no syslog trafic generated by the F5 (I check this with some tcpdumps).

     

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 13, 2012
    it is changed in 10.2.2 (file which syslog configuration will be stored).

     

     

    syslog

     

     

    Command: bigpipe syslog

     

    UNIX Configuration File: /var/run/config/syslog-ng.conf

     

    Symlink File: /etc/syslog-ng/syslog-ng.conf

     

    BIG-IP System File: /config/bigip_base.conf (version 10.2.2 and later only*)

     

    /config/bigip_sys.conf (All versions)

     

     

    *Note: For details, refer to sol13107: Change in Behavior: The syslog-ng local ip setting is now saved in the bigip_base.conf filesol8436: Overview of UNIX configuration files

     

    http://support.f5.com/kb/en-us/solutions/public/8000/400/sol8436.html
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 13, 2012
    Thanks for pointing that out Nitass. That's news to me too.

     

     

    Aaron
  • Felkor_29336's avatar
    Felkor_29336
    Icon for Nimbostratus rankNimbostratus
    Apr 16, 2012
    The support give me an other solution, otherwise to perform the upgrade : it is to modify the behaviour of the configuration file of the F5.

     

    A little procedure here, this could maybe help !

     

     

    1. Mount the usr partition in rw

     

     

    mount -o remount,ro /usr

     

     

    2. Backup and modify the config_base.conf file

     

    Basically, this file determines all attributes of all objects of the configuration, which one are or not sync, etc

     

     

    cp /usr/share/defaults/config_base.conf /usr/share/defaults/config_base.conf.bak

     

     

    Locate the following portion of code in the file :

     

     

    (syslog-ng.conf)

    config class syslog {

     

    category "confpp"

     

    singleton enable

     

    configsyncd enable

     

    fields {

     

    ...

     

    include {

     

    display "Include Data"

     

    type string

     

    appdata "unix_config_syslog.replace.include"

     

    clustered enable

     

    configsyncd enable

     

    }

     

    ...

     

    }

     

    nested remote_server

     

    }

     

     

    Change configsyncd enable to configsyncd disable.

     

    Save the modification.

     

     

    3. Reload the services in forceload mode

     

     

    touch /service/mcpd/forceload bigstart restart

     

     

     

    After that, when you create a syslog server with a localip, the local ip is hosted in the bigip_base.conf, as in the 10.2.2 versions and above !

     

     

    Thanks Kevin White from F5 for the tips :)