Forum Discussion

dipta_03_149731's avatar
dipta_03_149731
Icon for Nimbostratus rankNimbostratus
Feb 02, 2016

We have a Qradar remote server which wants to see logs which will allow them to trace traffic back to the source when traffic passes through the F5

Here is the current config of your remote logging:   Log to a remote host destination d_loghost { udp("10.195.55.x" port(514)); udp("172.30.201.x" port(514) localip(172.30.27.x)); };   ...
LTM
security
dipta_03_149731's avatar
dipta_03_149731
Icon for Nimbostratus rankNimbostratus
Feb 02, 2016

Thanks for responding Pete. Sorry I didn't quite understand what F5 config you referred since they want to see logs from all floating and self Ips configured on the device.

 

For example when we show sys conn, we see below logs right, i.e from which public Ips hits are coming to F5. They want to see similar logs on the remote server for securiy purpose.

 

212.250.156.93:17131 172.27.50.x:443 any6.any any6.any tcp 1118 (tmm: 0) none 212.250.156.93:15581 172.27.50.x:443 172.27.51.x1:10214 10.195.146.91:80 tcp 886 (tmm: 2) none 212.250.156.93:49843 172.27.50.x:443 any6.any any6.any tcp 1653 (tmm: 0) none 212.250.156.93:28134 172.27.50.x:443 172.27.51.x1:4289 10.195.146.91:80 tcp 966 (tmm: 1) none 212.250.156.93:58833 172.27.50.x:443 172.27.51.x1:7474 10.195.146.91:80 tcp 1339 (tmm: 2) none 212.250.156.93:24047 172.27.50.x:443 any6.any any6.any tcp 8 (tmm: 0) none 212.250.156.93:12936 172.27.50.x:443 172.27.51.x1:4751 10.195.146.91:80 tcp 169 (tmm: 3) none 212.250.156.93:9412 172.27.50.x:443 172.27.51.x1:16691 10.195.146.91:80 tcp 959 (tmm: 3) none