Can someone explain to me, what im doing wrong.
I have a policy attached to a Virtual-Server, and it is triggered when a specific URI enters.
There are two actions, one that logs a message to local logfile, and another that logs to a remote syslog server.
I can see that the actions are triggered because my message is writen to the local log file, but nothing is sent towards my syslog server. I have verified it with TCPDUMP that nothing is leaving the management interface, and I have also tried with different hosts and ports.
This is the policy i created.
Solved! Go to Solution.
@CEnroth The management interface isn't automatically used for syslog and would be completely dependent on your routing table for your management interface along with the routing table for traffic that the F5 load balances and/or forwards. You can verify what's being used by running the following two commands.
list sys management-route one-line
list net route one-line
The first command will show your statis routes that you have configured for the management interface and the second will be the routes for your general load balanced and/or forwarded traffic on the F5. Please note that the default route on the management interface does not supercede the default route on the routed interfaces of the F5 and the only thing that would supercede it is a specific route on the management interface or if the subnet is directly connected on the management interface. If your F5 is in path it will use whichever interface is closest to the routed destination to communicate with the log server.
@PauliusThanks for the information.
In this case I use "Route Domains" for all other communications, so "list net route one-line" is empty.
Mgmt interface had a "default route", but to be sure that nothing had better route then that I added a /32.
Once in a while I get below error message, and initially i thought it was remote syslog server that "rejected" the packages but as I said in before I used TCPDUMP to see if anything exited the Mgmt interface but nothing did.
Error in log file:
Execution of action 'log write port=514 message= facility=local0 priority=info ip-address=192.168.0.100' failed, error ERR_REJECT
It is possible that packages leaves the loadbalancer on some other interface, but I had TCPDUMP listen on all other interface and did not see udp/514 packages on any of them.
And forgot to say that i can PING syslog server from LB, and that package leaves on Mgmt interface.
@PauliusThanks for all input, and i think you are right about routing. And as I use "route domains" then /Common (id = 0) would probably be the one where all messages would be sourced from. But in my case I don't use /Common and there for this route domain has no routes. One can think that the ERR_REJECT message indicates that there is no way out from this vlan/net. But I will do as your suggestion and try a iRule with HSL::send to see if that works.
And once again, thanks for the input 😀