Forum Discussion
Syslogging
Hi,
I am having no luck sending syslog to a remote server from an LTM on Version 9.4.7.
Steps taken already;
Tried SOL5527 using;
1. Log in to the command line.
2. To configure the remote syslog server, type the following command:
bigpipe syslog remote server
3. To save the configuration, type the following command:
bigpipe save
When typing the following command
bigpipe syslog list all
I do see the newly configured syslog server
......
remote port 514
remote server x.x.x.x
userlog from notice
userlog to emerg
From another window on the same box i then run a tcpdump;
tcpdump -i eth0 udp and host x.x.x.x
I then run logger -t test -p debug test
But do not see any attempt to send syslogs out to my remote server.
When doing the same test on a box that is working I see the output in the tcpdump
I have also followed the article http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=155
but no luck, I dont get any error messages.
When typing the following command
bigpipe syslog list all
I also see the remote server has been added.
Any ideas?
Thanks in advanced
hoolioCirrostratus
Hi wilko,
Do you have a management route to the syslog server? If you do a tcpdump on 0.0 instead of eth0, do you see any packets destined for the syslog server address?
Aaron- Hi Aaron,
I have tried doing the following as you suggested "tcpdump -i 0.0 udp and host x.x.x.x" however I am still not seeing any packets, I can ping the remote syslog server.
Cheers - hoolioSo I guess it's not routing if you can ping the syslog server. Just to confirm, can you remove the UDP filter from the tcpdump and see whether the pings are going out via a switch port (viewable in a 0.0 trace) or through the management port (viewable in a trace on eth0)?
tcpdump -i 0.0 host x.x.x.x
tcpdump -i eth0 host x.x.x.x
Can you try specifying a facility in the logger test:
logger -p local0.debug "test message"
Thanks,
Aaron - Hi Aaron,
I ran the command tcpdump -i 0.0 host x.x.x.x and ran a ping to the remote syslog server I was seeing the packets on 0.0 and not eth0.
Very strange I ran the command bigpipe syslog list all and saw that the remote server was not listed when I'm sure it was added yesterday, so entered the following again bigpipe syslog remote server x.x.x.x then a b save then after doing this I was able to see packets using the command tcpdump -i 0.0 udp and host x.x.x.x, also I am seeing the packets for logger -p local0.debug "test message" on the same interface.
I am a little confused what 0.0 is, is this referencing the entire switch on any vlan? I would have expected to see the traffic on the management port eth0.
My config is setup as follows
External Vlan 1.1
Internal vlan 1.2
Is there a way of specifying syslog traffic to route over the management network or adding a static route in to send all traffic destined for the syslog server to go via the management network, I have tried via the GUI Network>Routes But get the following error
01070330:3: Static route gateway x.x.x.x is not directly connected via an interface. (when entering the IP address of the gateway for the management network)
Cheers,
Wilko - Aaron,
Thanks for all your help, once I added in the route to go via the management interface syslogs were then being delivered to the remote server.
Cheers,
Ross - I have carried out the exact same change on another F5 and saw that the syslog traffic was leaving with my external IP address through the management interface.
Using the article given to me by Aaron https://support.f5.com/kb/en-us/solutions/public/3000/600/sol3669.html after adding the command bigpipe mgmt route netmask gateway
I then had to carry out the command bigstart restart (caution this will cause the system daemons to restart, and disrupt LB traffic!)
Once restarted the traffic was leaving with the correct IP address.
