Routing udp syslog through F5 LTM without losing source IP
I am trying to figure out how to route udp syslog messages through my F5's without it modifying the source IP. I can get the messages through when I setup a "Standard" virtual server with Auto Map enabled but that changes the IP. No other setting I have tried actually lets the message get to the backend nodes. Any help would be greatly appreciated. FWIW, the use case here is this: (udp syslog from switches) -> LTM -> (pool of Logstash servers) -> Redis -> (Logstash indexer) -> Elasticsearch The reason for the LTM is both HA and load balancing. The LTM is in an active / standby pair and there are multiple Logstash servers in the pool. This gives me both reliability and performance.
Send LTM logs to a VIP on the same BIG-IP
We haven't tried this yet but would like to know if it's possible and/or if this has been a setup in any environment. We plan to have an ELK cluster behind our LTMs, three or more nodes bound to a virtual server, and eventually every log source pointing to the virtual. Can the BIG-IP send its logs to this virtual? Hence load-balancing them across nodes that are behind the same BIG-IP. Would appreciate any input. Thank you.
Change source name of F5 for log
Hello everyone, We are using graylog server for, well, our log^^ and the main problem we got is that we cant make the difference between the F5 we got because all the log got the same source name : "F5" as you can see in the screenshot. Is there a way to change it? Thanks in advance. Regards,
How do I ensure that link status events generate SNMP traps?
I've set my kernel and messages log levels to "notice", and I've set up SNMP trap configuration. I've verified via logger and snmptrap cli tools that the device will send traps and that alertd will send traps if the logs are there, but if I actually disable the interface, the traps don't appear. Does anyone know why this might be happening?Syslog Arcsight and remote destination Syslog combined
Hi All, I have a Big IP LTM + ASM installed. Within the ASM I have a logging profile configured that sends the ASM logs in CEF format to Arcsight that works perfect. I also have a standard Syslog destination configured in the System menu with the same remote log destination, because I also want standard Syslog information to be send to the same Syslog server. The problem is that it just does not work. If I generate some logs by shutting down a pool there is no traffic sent to the Syslog server. The very strange thing is when I change the IP to another IP that is different than the Arcsight IP it is being sent. So it seems like if you are not able to combine a ASM syslog CEF and a normal Syslog destination using the same IP destination. I also tried to restart the syslog-ng daemon but that also did not fix the problem. Does someone has an explanation for this?
