Forum Discussion
NimbostratusWe have a Qradar remote server which wants to see logs which will allow them to trace traffic back to the source when traffic passes through the F5
Here is the current config of your remote logging:
Log to a remote host
destination d_loghost { udp("10.195.55.x" port(514)); udp("172.30.201.x" port(514) localip(172.30.27.x)); };
log { source(s_syslog_pipe); destination(d_loghost); };
10.195.55.x is the remote log server which should get logs from F5 as per the syslog server configuration on F5 but it doesn't receive any logs. Is there any modification required within the syslog file.
4 Replies
PeteWhiteEmployee
Can you post the F5 config as well. You are configuring remote syslog which means that you will send the system logs to the server. However, this does not send logs about the connections through a virtual server. For this you want to configure request logging via a request logging profile. One point to note is that you need the syslog server accessible via the tmm interface, not via management. Each tmm will create a connection and it will quite quickly overload many log servers, especially with something like a Viprion.
dipta_03_149731Thanks for responding Pete. Sorry I didn't quite understand what F5 config you referred since they want to see logs from all floating and self Ips configured on the device.
For example when we show sys conn, we see below logs right, i.e from which public Ips hits are coming to F5. They want to see similar logs on the remote server for securiy purpose.
212.250.156.93:17131 172.27.50.x:443 any6.any any6.any tcp 1118 (tmm: 0) none 212.250.156.93:15581 172.27.50.x:443 172.27.51.x1:10214 10.195.146.91:80 tcp 886 (tmm: 2) none 212.250.156.93:49843 172.27.50.x:443 any6.any any6.any tcp 1653 (tmm: 0) none 212.250.156.93:28134 172.27.50.x:443 172.27.51.x1:4289 10.195.146.91:80 tcp 966 (tmm: 1) none 212.250.156.93:58833 172.27.50.x:443 172.27.51.x1:7474 10.195.146.91:80 tcp 1339 (tmm: 2) none 212.250.156.93:24047 172.27.50.x:443 any6.any any6.any tcp 8 (tmm: 0) none 212.250.156.93:12936 172.27.50.x:443 172.27.51.x1:4751 10.195.146.91:80 tcp 169 (tmm: 3) none 212.250.156.93:9412 172.27.50.x:443 172.27.51.x1:16691 10.195.146.91:80 tcp 959 (tmm: 3) none
RossVermetteWhich module are you interested in monitoring with Qradar? If you're using ASM you will need to define a logging profile that uses tcp, as Qradar expects ASM traffic as tcp. For LTM logs then it would be standard syslog udp. There are also configs that need to be done on the qradar side to "catogorize and index" the log source correctly. Can you let us know what module logs you're interested in sending to qradar?
pete_71470Cirrostratus
You could use a packet filter that logs: Network -> Packet Filters -> Rules. This could generate a giant flood of traffic and might affect performance of your F5. You can generate specific rules to narrow down the scope of logging.
