Deploying BIG-IP Telemetry Streaming with Azure Sentinel as its consumer.
AZURE SENTINEL and BIG-IP
...with Telemetry Streaming!
This work was completed as a collaboration of Remo Mattei r.mattei@f5.com and Bill Wester b.wester@f5.com, feel free to email us if you ha...
Published Oct 26, 2020
Version 1.0William_Wester
Employee
Joined May 22, 2019
William_Wester
Employee
Joined May 22, 2019
antonym
Nov 24, 2022Altostratus
One of the reasons this doesn't work is that in the declaration above the guys have put a tcp monitor on the "telemetry" pool. A tcp connection attempt to 255.255.255.254 from the monitor fails (not sure why as the log profile uses TCP to route using that pool) but this marks the member down and the logging fails.
I found the only way to get this to work is to remove the monitor. You should then be able to see traffic hitting the pool member. You can also test using a tcpdump :
tcpdump -nn -A -s 0 -i any host 255.255.255.254
- which will show the request logs hitting the local loopback (and you can see the request log data in the trace).