I have had a couple of customers ask about guidance on how to use their BIG IP to ingest external TLS syslog being shipped to them. Like them, I first came to DevCentral and found myself seeing the questions being asked, but no direct answers. One of the main issues I found myself running into during this build process was finding a TLS compatible syslog testing server. While there are quit a few syslog test servers, they typically do not support TLS and if you do not know this going in, lots of frustration awaits you. The best syslog test device, you already have it: openssl.
Another great feature, you can consume the external syslog data and send it to your backend processing as tcp or udp. Let's jump in to our build.
I built all of this in my home lab using three virtual machines, an external Linux server to simulate the TLS Syslog generator, our BIG-IP, and an internal Linux Syslog-NG server to validate our messages. On our external syslog generator we will create a file 'file.log'.
echo "This is an openssl client syslog" > file.log
Create our Syslog-NG backend server
While I won't go in to great Linux distribution detail, use your package manager to install Syslog-NG and open necessary firewall ports and protocols as needed (tcp/udp 514). Depending on your distro (Fedora for me) you Syslog-NG config file will be located roughly in /etc/syslog-ng/syslog-ng.conf. Below is how I have mine set up after the additional configuration files section:
Notice in the source section of the Syslog-NG configuration file we can define what source we want to collect; TCP or UDP.
Make our TLS Syslog virtual server on the BIG-IP, this is normally defined on port 6514.
Next, we make our selection. Will you be processing TCP or UDP messages to your backend?
Finally, time to send our test message. Please make sure you validate the necessary ports are open on your distribution or standard firewalls that may be in path.
cat file.log | openssl s_client -connect <fqdn/ip_address>:6514
Once the message is sent, we can move over to our internal syslog server and review that our new directory and file naming convention worked and that our message was logged.