HSL Logging with an HA F5 Cluster
I am running a pair of 2000 series F5s in an HA Cluster. They are running v13.1.0.8 (Build 0.0.3). I created a UDP syslog pool (containing our Graylog Servers) and enabled HSL logging. I am having 2 issues with my implementation.
-
I noticed in the Graylog portal, most of the messages from the F5s (which read "default send string") appear to be from the Monitor that is configured on the syslog pool that I setup. Is there a way to prevent the monitor messages from getting to Graylog?
-
I notice that in Graylog, I am only receiving logs from one of the F5's. I believe this is because I did not specify a "Local ip" address when configuring the "Remote Logging/Remote Syslog Server List". Based on (https://support.f5.com/csp/article/K13080). However, when I specify a "Local ip - Non HA" (I used the management ip), nothing changed.
I would like to receive messages in Graylog from both F5 nodes. Any advice is appreciated.
PS... In 2017, an "unknown" poster was having the very same issue (issue 2) and never received an answer. Here is that users thread:
"I'm encountering an issue while configuring the remote logging of a DSC. While I can optionally set the local IP, I cannot define which interface to use for remote logging. When no local IP is configured, the logs are send through the routing table of TMOS. I need to send the logs through the management interface, instead of the traffic interfaces. I can reach my goal when configuring the local IP as the one from the management interface. The poor thing is, that the configuration needs to be synchronized after configuration. When I then synchronize the configuration, the other nodes configuration doesn't have the management IP set, instead there is no local IP configured anymore and the traffic interfaces will be used to send out syslog traffic.
Unfortunately the documentation does only claim to set the local IP to a non-floating selfIP in HA configuration (https://support.f5.com/csp/article/K13080): Note: For BIG-IP systems in a high availability (HA) configuration, the non-floating self IP address is recommended if using a Traffic Management Microkernel (TMM) based IP address. From my understanding and experience this would end in the same issue, because the non-floating selfIP is not synchronized, but the remote logging configuration needs to be synchronized.
Is there any way to configure remote logging in a DSC without synchronizing this part of the configuration or is there a way to change the routing of the syslog-ng to use the management interface as default? I saw very much users modifying the syslog-ng configuration itself, instead of using the builtin configuration."