Forum Discussion

Nimbostratus

Feb 02, 2016

We have a Qradar remote server which wants to see logs which will allow them to trace traffic back to the source when traffic passes through the F5

Here is the current config of your remote logging: Log to a remote host destination d_loghost { udp("10.195.55.x" port(514)); udp("172.30.201.x" port(514) localip(172.30.27.x)); }; ...

LTM

security

PeteWhite

Employee

Feb 02, 2016

Can you post the F5 config as well. You are configuring remote syslog which means that you will send the system logs to the server. However, this does not send logs about the connections through a virtual server. For this you want to configure request logging via a request logging profile. One point to note is that you need the syslog server accessible via the tmm interface, not via management. Each tmm will create a connection and it will quite quickly overload many log servers, especially with something like a Viprion.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)