Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

High-Speed Logging Mgmt Interface

I am trying to setup high-speed remote logging on my Big-IP ASM v12.1.1. I have gone through the f5 documents setting up the server pool, then log destination/publisher/filter, but am not getting any logs.

I just read on a post that high-speed logs won't be sent over the mgmt interface. Is that true? Will i need to setup another interface (with static routes?) just for the high-speed logging?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

For anybody revisiting the topic:

K50040950: Configuring the BIG-IP system to send high-speed logs through the management interface https://support.f5.com/csp/article/K50040950

1
Comments on this Answer
Comment made 15-Jul-2018 by boneyard 5579

thanks grom, i was just thinking isn't that possible these days :)

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Only syslog is able send logs over the mgmt interface starting with 12.0.0

HSL requires that the destination be accessible over the tmm interfaces.

0
Comments on this Answer
Comment made 27-Dec-2016 by OTS02 597

The destination(s) will be the pool member(s) of the HSL pool, and the BIGIP will determine the interface from the routing table. You don't have to set up an interface.

For example, if you create a pool called HIGH_SPEED_LOGGING, with one member 10.10.10.10:514

And you referenced the pool, HIGH_SPEED_LOGGING, in some iRule:

when HTTP_REQUEST {

set hsl [HSL::open -proto UDP -pool HIGH_SPEED_LOGGING]
}

when HTTP_RESPONSE {

if {[HTTP::status] != 200} {

HSL::send $hsl "something just happened"

}
}

All you have to do is make sure that any firewalls in the path allows UDP 514 to 10.10.10.10.

0
Comment made 30-Dec-2016 by David Landry 0

Some things to add. My guess is you are concerned with excess logging traffic on your main interfaces. Personally I did a test with a very custom HSL logging rule with a very large transaction rate. Honestly you will kill your syslog receiver before killing your network. The test I did earlier this year was 300 byte messages at 1200/second on 4200v's and 5200v's which came out to 2.8mbit/second.

Also since you are using HSL you will see some benefits which will satisfy your security guys from a logging perspective. Each TMM will spin up its own logging socket. That means you will have 1 connection per active TMM kernel logging data. Those connections will stay up unless those connections are broken. In version 11 if you have an 8 core BigIP you will have 4 active TMM's which equals 4 HSL sockets.

Now about HSL over separate networks. It is doable however in 11x and 12x HSL can only send via TMM interfaces (non mgmt). Depending on your architecture and security requirements you "could" use an idle tmm interface with a separate IP range on those interfaces. In order to use that you will need to add a host route via tmsh to point your syslog receiver nodes for HSL over the alternate VLAN.

Lets say you have VLAN 100 with subnet 10.0.0.0/24 with your default gateway going to 10.0.0.1 and your syslog receiver is 10.1.0.10. If you used HSL with the default route your syslog data will follow the same path as your live traffic.

To get around this you could add VLAN 101 with subnet 10.0.1.0/24 and place a host route for 10.1.0.10/32 pointed to the gateway for VLAN 101 (10.0.1.1 for example).

Again I don't certify this as secure but this would put your logging traffic on its own physical cable and or switch infrastructure.

You could also further secure this by creating a separate route domain. Might make it simpler.

Just some notes from my experience with HSL. And of course "TEST ON A TEST UNIT FIRST!" :)

--Dave

0