cancel
Showing results for 
Search instead for 
Did you mean: 

How can I log traffic from specific IP locally and did not send its logs to Rsyslog in the same time

Ahmed_Aboelmagd
Altostratus
Altostratus

Dears,

Actually I integrated our Big-IP with logryhthm as a Rsyslog to make our F5 send its logs (LTM and ASM) to logryhthm.

My question here is how I can log traffic for specific IP locally on F5 but in the same time I need F5 not to send that IP

logs to Logryhthm.

Regards

4 REPLIES 4

VernonWells
F5 Employee
F5 Employee

Ahmed, are you trying to send logs for some traffic locally to a BIG-IP log file (i.e., in /var/log) and all other logs to a remote destination?

Hi Vernon,

Yes you can consider it as you understand, but let me clarify more for better understanding.

Actually, we have Entuity server (a network monitoring software) that checks a web portal behind our F5 every 5 seconds. it gives us a false positive alert (hitting in attack signature) on f5 while Entuity check the login page of the portal. So we need to log all traffic that arrives from Entuity locally on F5 but in the same time we need F5 exclude Entuity traffic from logging remotly on Logryhthm.

Many thanks for your reply.

I think you can create a filter for this to exclude your pattern. Apply that filter to your syslog server. You might need to find the right expression, I think it's "match", Take a look please.

VernonWells
F5 Employee
F5 Employee

Is the Entuity system logging into the BIG-IP itself, or is is logging into the web portal and the BIG-IP is load-balancing that?  If it is the latter, is the attack signature match coming from ASM?  If it is from ASM, you can select only one destination type (local or remote) for each type via a logging profile for the Virtual Server.  You could set logging local, then modify the local syslog-ng to use syslog configuration matching to send a subset remotely.  I, however, recommend strongly against this because you are pushing this load to the BIG-IP control plane, and syslog-ng on the BIG-IP is not designed for high volume logging.  It is generally best to filter them on the syslog receiver rather than BIG-IP.  I believe that is what @jaikumar_f5  was proposing.

I don't know of a way to coerce the normal ASM remote logging to divide messages in the way you wish.