Forum Discussion
Marvin_129795
Nimbostratus
NimbostratusSyslog Arcsight and remote destination Syslog combined
Hi All,
I have a Big IP LTM + ASM installed. Within the ASM I have a logging profile configured that sends the ASM logs in CEF format to Arcsight that works perfect.
I also have a standard Syslog destination configured in the System menu with the same remote log destination, because I also want standard Syslog information to be send to the same Syslog server.
The problem is that it just does not work. If I generate some logs by shutting down a pool there is no traffic sent to the Syslog server. The very strange thing is when I change the IP to another IP that is different than the Arcsight IP it is being sent.
So it seems like if you are not able to combine a ASM syslog CEF and a normal Syslog destination using the same IP destination.
I also tried to restart the syslog-ng daemon but that also did not fix the problem.
Does someone has an explanation for this?
Amit_KarnikThe ASM logging profile might be looking up the routing for the syslog IP in the tmm route-table.
The syslogd is sending syslogs from the management-ip and lookuping up the route in "tmsh sys management-route"
A tcpdump would help pinpoint the issue.
cheers.
MarvinCirrocumulus
Hi Amit,
You are totally right. I was using tcpdump with the option -i 0.0 but that didn’t capture the management packets. So when I started to capture specifically the management interface I did see the traffic.
Case closed.
Thanks