cancel
Showing results for 
Search instead for 
Did you mean: 

F5 Sending syslogs with two hostname to remote syslog server

IRONMAN
Cirrostratus
Cirrostratus

HI All,

 

we have F5 Device (LTM + AFM), we configured syslog sever splunk via linux syslog server as forwarder.

in Linux server each F5 creating two syslog files, only with just host name and another one is FQDN name.

Both are different logs , not duplicate .

I am not sure, where to merge it or make it single, any one guide me please!

 

1 ACCEPTED SOLUTION

IRONMAN
Cirrostratus
Cirrostratus

HI ,

 

We have solution for this.

 

https://support.f5.com/csp/article/K76259573

 

Recommended Actions

 

Include "options {use_fqdn(yes); keep_hostname(no); };" to syslog configuration :

 

Use following command in CLI:

 

 tmsh modify sys syslog include "options {use_fqdn(yes); keep_hostname(no); };"

 

 

F5 has option to mark his host name in (only host name or FQDN name) in syslog message.

 

 

 

View solution in original post

2 REPLIES 2

From what I can think of, its coming from 2 different source ip's.

One could be your management ip and other your self IP address.

When the traffic comes to the forwarders, it does reverse lookup for the IP and creates the log file respectively.

 

But I dont see a problem on this, its quite common. All you have to do is, work with your splunk team, to index them properly. As long as both the logs source type are same, and indexed to one common indexer, its not a big deal.

 

Else you'll have to make changes on the LTM to force the logs to go out through one interface, either mgmt or tmm. There's KB articles to that.

 

Hope this helps.

IRONMAN
Cirrostratus
Cirrostratus

HI ,

 

We have solution for this.

 

https://support.f5.com/csp/article/K76259573

 

Recommended Actions

 

Include "options {use_fqdn(yes); keep_hostname(no); };" to syslog configuration :

 

Use following command in CLI:

 

 tmsh modify sys syslog include "options {use_fqdn(yes); keep_hostname(no); };"

 

 

F5 has option to mark his host name in (only host name or FQDN name) in syslog message.