Forum Discussion

Danny_Arroyo's avatar
Danny_Arroyo
Icon for Cirrus rankCirrus
Nov 08, 2018

HSL Logging with an HA F5 Cluster

I am running a pair of 2000 series F5s in an HA Cluster. They are running v13.1.0.8 (Build 0.0.3). I created a UDP syslog pool (containing our Graylog Servers) and enabled HSL logging. I am having 2 issues with my implementation.

 

  1. I noticed in the Graylog portal, most of the messages from the F5s (which read "default send string") appear to be from the Monitor that is configured on the syslog pool that I setup. Is there a way to prevent the monitor messages from getting to Graylog?

     

  2. I notice that in Graylog, I am only receiving logs from one of the F5's. I believe this is because I did not specify a "Local ip" address when configuring the "Remote Logging/Remote Syslog Server List". Based on (https://support.f5.com/csp/article/K13080). However, when I specify a "Local ip - Non HA" (I used the management ip), nothing changed.

     

I would like to receive messages in Graylog from both F5 nodes. Any advice is appreciated.

 

PS... In 2017, an "unknown" poster was having the very same issue (issue 2) and never received an answer. Here is that users thread:

 

"I'm encountering an issue while configuring the remote logging of a DSC. While I can optionally set the local IP, I cannot define which interface to use for remote logging. When no local IP is configured, the logs are send through the routing table of TMOS. I need to send the logs through the management interface, instead of the traffic interfaces. I can reach my goal when configuring the local IP as the one from the management interface. The poor thing is, that the configuration needs to be synchronized after configuration. When I then synchronize the configuration, the other nodes configuration doesn't have the management IP set, instead there is no local IP configured anymore and the traffic interfaces will be used to send out syslog traffic.

 

Unfortunately the documentation does only claim to set the local IP to a non-floating selfIP in HA configuration (https://support.f5.com/csp/article/K13080): Note: For BIG-IP systems in a high availability (HA) configuration, the non-floating self IP address is recommended if using a Traffic Management Microkernel (TMM) based IP address. From my understanding and experience this would end in the same issue, because the non-floating selfIP is not synchronized, but the remote logging configuration needs to be synchronized.

 

Is there any way to configure remote logging in a DSC without synchronizing this part of the configuration or is there a way to change the routing of the syslog-ng to use the management interface as default? I saw very much users modifying the syslog-ng configuration itself, instead of using the builtin configuration."

 

BIG-IP
LTM
security

1 Reply

Sort By
  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Nov 08, 2018

    I noticed in the Graylog portal, most of the messages from the F5s (which read "default send string") appear to be from the Monitor that is configured on the syslog pool that I setup. Is there a way to prevent the monitor messages from getting to Graylog?

     

    That would need be a configuration option in Graylog to drop those UDP monitor messages.

     

    We send them to see if we get an ICMP Unreachable back (indicating a closed port). What happens next (logging or dropping the message) is up to Graylog. You may want to review

     

    K6143: UDP health monitor operation

     

    to understand how a UDP monitor operates.

     

    I notice that in Graylog, I am only receiving logs from one of the F5's. I believe this is because I did not specify a "Local ip" address when configuring the "Remote Logging/Remote Syslog Server List". Based on (https://support.f5.com/csp/article/K13080). However, when I specify a "Local ip - Non HA" (I used the management ip), nothing changed.

     

    Can we be clear about the difference between Remote SYSLOG and High Speed Logging.

     

    Remote Syslog is logging from syslog (i.e control-plane service logs) to a syslog server.

     

    This traffic can be routed through tmm and should use the appropriate non-floating self-IP address as the source, or the management IP address (if the syslog server is on the management network). Some elements of the syslog config are synced config across the device-group, and some (such as the local-ip) are local to the device and need to be configured individually on each member of the device-group after syncing the config.

     

    High Speed Logging is data-plane logging from iRules/Logging Profiles/Request Logging Profile. Logs sent to HSL should always remain in tmm (on the data-plane) and should not pass through syslog on the control plane or be written to disk. While you can send this traffic to a syslog server routed via the management network (as above) this is not generally recommended.

     

    K50040950: Configuring the BIG-IP system to send high-speed logs through the management interface

     

    HSL logs are generated from the Active device/traffic-groups

     

    So you need to create the remote syslog destination, sync the config, and then ensure each device is configured with the appropriate local-ip so you can determine which device sent the traffic.