I created a log forwarding profile where its pointing at the graylog box on port 514 (udp) and set up the format, etc and then applied it to the virtual server but I don't see anything coming into the syslog server. I have restart the syslog on the box and failed over to the other F5 and its still not sending any logs. Even doing a netstat (netstat -pan | grep syslog) I don't see anything trying to leave either F5 just localhost stuff. Is there anything I'm missing? I feel like there isn't' anything obvious.
So just to double check.
You have a pool and pool member setup.
Which links to your destiantion.
Which links to your Publisher?
And the config has the relevent security tick boxes ticked to ensure the correct logs are sent to the remote log source?
And then that publisher is linked to the virtual server in the security settings?
If that doesn't make sense let me know and i'll take some screen shots of my config for you. ASM logging is a bit all over the place unfortunately!
Follow this article should resolve your issue.
Just be careful, those articles talk about general logging focused at the LTM side.
ASM logging works slightly differently.