This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Log Collection F5 LTM/APM

Go to solution
Anonymous
Not applicable

‎2016-08-30 06:26 PM

Has anyone been successful in configured an F5 LTM/APM to send logs to a log decoder?

I've followed the instructions from sadocs.emc.com but I think they are incomplete, because the F5 isn't sending any logs at all to the log decoder.

I am successfull receiving syslog to the decoder so I know it's not the decoder and I've also seen on the firewall that there is no traffic from the F5 to log decoder.

Anyone know what I'm missing?

 

Cheers.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable

‎2016-08-31 06:53 PM

Ok, I figured it out.

When adding in the remote syslog destination System > Logs > Configuration > Remote Logging

I needed to add the 'Local IP' address of the interface I wanted the traffic to come out of. It says "Optional" but in my case, I needed it to make it work.
syslog.jpg
Thanks for the help.

View solution in original post

0 Likes
6 REPLIES 6

Go to solution
RonSmith
Beginner
Beginner

‎2016-08-31 08:36 AM

I have been able to consistently send generic syslog to an F5 but it is very problematic to get any other log type.

0 Likes

Go to solution
Anonymous
Not applicable

‎2016-08-31 05:20 PM

Hello, Are these the instructions that you used? (please see below) Also, have you attempted doing a tcpdump on both ends to see, #1 is the traffic being sent, and #2 is it making it to the Decoder? Feel free to post any screenshots or error messages you are getting. Also it may be worth stopping and starting syslog on both ends as well if you haven't yet done so.

 

F5 Big-IP Local Traffic Manager Event Source Configuration Guide 

F5 Big-IP Advanced Firewall Manager Event Source Configuration Guide 

0 Likes

Go to solution
Anonymous
Not applicable
In response to RonSmith

‎2016-08-31 06:23 PM

Do you mean to an F5 or from an F5?

I'm looking to have my F5 send logs 'to' NetWitness log decoder.

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2016-08-31 06:37 PM

I used this guide to configure the F5 APM.I haven't used the LTM guide because we are only using the APM component, not LTM

https://community.rsa.com/docs/DOC-40146 

As I mentioned, I've looked on the firewall (which sits in between the F5 and Decoder, and the rules do allow the traffic) and there is nothing being sent from the F5.

I've performed a tcpdump on the F5 and it's not sending syslog at all.

The decoder is working fine because it can receive syslog from other sources (ie. Firewalls).

Do you know if I need to configure what interface it sends the packets from? I just assumed it would be the management interface

0 Likes

Go to solution
Anonymous
Not applicable

‎2016-08-31 06:53 PM

Ok, I figured it out.

When adding in the remote syslog destination System > Logs > Configuration > Remote Logging

I needed to add the 'Local IP' address of the interface I wanted the traffic to come out of. It says "Optional" but in my case, I needed it to make it work.
syslog.jpg
Thanks for the help.
0 Likes

Go to solution
Anonymous
Not applicable

‎2016-08-31 07:44 PM

Glad you got it working!

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.