BIG-IP to Process TLS Syslog Traffic

I have had a couple of customers ask about guidance on how to use their BIG IP to ingest external TLS syslog being shipped to them. Like them, I first came to DevCentral and found myself seeing the questions being asked, but no direct answers. One of the main issues I found myself running into during this build process was finding a TLS compatible syslog testing server. While there are quit a few syslog test servers, they typically do not support TLS and if you do not know this going in, lots of frustration awaits you. The best syslog test device, you already have it: openssl.

Another great feature, you can consume the external syslog data and send it to your backend processing as tcp or udp. Let's jump in to our build.
 

I built all of this in my home lab using three virtual machines, an external Linux server to simulate the TLS Syslog generator, our BIG-IP, and an internal Linux Syslog-NG server to validate our messages. On our external syslog generator we will create a file 'file.log'.

echo "This is an openssl client syslog" > file.log

Create our Syslog-NG backend server

While I won't go in to great Linux distribution detail, use your package manager to install Syslog-NG and open necessary firewall ports and protocols as needed (tcp/udp 514). Depending on your distro (Fedora for me) you Syslog-NG config file will be located roughly in /etc/syslog-ng/syslog-ng.conf. Below is how I have mine set up after the additional configuration files section:

# Source additional configuration files (.conf extension only)
@include "/etc/syslog-ng/conf.d/*.conf"

# test tcp_syslog
source s_loggly {
  #tcp(ip(0.0.0.0) port(514));
  udp(ip(0.0.0.0) port(514));
};

destination d_loggly {
  file("/var/log/loggly/$HOST-$YEAR$MONTH$DAY.log");
};

log {
  source(s_loggly);
  filter(f_default);
  destination(d_loggly);
};

Notice in the source section of the Syslog-NG configuration file we can define what source we want to collect; TCP or UDP.

Make our TLS Syslog virtual server on the BIG-IP, this is normally defined on port 6514.


Next, we make our selection. Will you be processing TCP or UDP messages to your backend?


Finally, time to send our test message. Please make sure you validate the necessary ports are open on your distribution or standard firewalls that may be in path.

cat file.log | openssl s_client -connect <fqdn/ip_address>:6514
Once the message is sent, we can move over to our internal syslog server and review that our new directory and file naming convention worked and that our message was logged.



I hope this is helpful!
Published Dec 03, 2020
Version 1.0

Was this article helpful?

3 Comments

  • Hi Chad_Wise ,

    I am looking into setting a F5 as a L4 proxy for syslog to convert it from TCP Syslog to UDP syslog.

    Would you be able to confirm if your configuration can actually do that?

     

    Cheers,

    Liviu

     

  • Hi Chad_Wise

    Thank you very much, I have managed to make it work.

    Unfortunatelly it looks like I can convert syslog from TCP to UDP only when using TLS. If I try to configure the vServer without a SSL profile, I get the following error:

    "01070734:3: Configuration error: Less than the required minimum number of profiles found on /Common/syslog_tcp: At least 1 of but Not more than 3 of (SIP Profile, ClientSSL Profile, ServerSSL Profile, QUIC Profile)"