Deploying BIG-IP Telemetry Streaming with Azure Sentinel as its consumer.

AZURE SENTINEL and BIG-IP ...with Telemetry Streaming! This work was completed as a collaboration of Remo Mattei r.mattei@f5.com and Bill Wester b.wester@f5.com, feel free to email us if you ha...
Published Oct 26, 2020
Version 1.0
Azure
BIG-IP
cloud
devops
Sentinel
Telemetry Streaming
antonym's avatar
antonym
Icon for Nimbostratus rankNimbostratus
Nov 24, 2022

One of the reasons this doesn't work is that in the declaration above the guys have put a tcp monitor on the "telemetry" pool. A tcp connection attempt to 255.255.255.254 from the monitor fails (not sure why as the log profile uses TCP to route using that pool) but this marks the member down and the logging fails.

I found the only way to get this to work is to remove the monitor. You should then be able to see traffic hitting the pool member. You can also test using a tcpdump :

tcpdump -nn -A -s 0 -i any host 255.255.255.254

- which will show the request logs hitting the local loopback (and you can see the request log data in the trace).