Actually I integrated our Big-IP with logryhthm as a Rsyslog to make our F5 send its logs (LTM and ASM) to logryhthm.
My question here is how I can log traffic for specific IP locally on F5 but in the same time I need F5 not to send that IP
logs to Logryhthm.
Yes you can consider it as you understand, but let me clarify more for better understanding.
Actually, we have Entuity server (a network monitoring software) that checks a web portal behind our F5 every 5 seconds. it gives us a false positive alert (hitting in attack signature) on f5 while Entuity check the login page of the portal. So we need to log all traffic that arrives from Entuity locally on F5 but in the same time we need F5 exclude Entuity traffic from logging remotly on Logryhthm.
Many thanks for your reply.
Is the Entuity system logging into the BIG-IP itself, or is is logging into the web portal and the BIG-IP is load-balancing that? If it is the latter, is the attack signature match coming from ASM? If it is from ASM, you can select only one destination type (local or remote) for each type via a logging profile for the Virtual Server. You could set logging local, then modify the local syslog-ng to use syslog configuration matching to send a subset remotely. I, however, recommend strongly against this because you are pushing this load to the BIG-IP control plane, and syslog-ng on the BIG-IP is not designed for high volume logging. It is generally best to filter them on the syslog receiver rather than BIG-IP. I believe that is what @jaikumar_f5 was proposing.
I don't know of a way to coerce the normal ASM remote logging to divide messages in the way you wish.