Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

F5 Networks BIG-IP LTM

 

The F5 Networks BIG-IP Local Traffic Manager (LTM) DSM for JSA collects networks security events from a BIG-IP device by using syslog.

Before events can be received in JSA, you must configure a log source for JSA, then configure your BIG-IP LTM device to forward syslog events. Create the log source before events are forwarded as JSA does not automatically discover or create log sources for syslog events from F5 BIG-IP LTM appliances.

Configuring a Log Source

To integrate F5 BIG-IP LTM with JSA, you must manually create a log source to receive syslog events.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for the log source.
  8. From the Log Source Type list, select F5 Networks BIG-IP LTM.
  9. Using the Protocol Configuration list, select Syslog.
  10. Configure the following values:

    Table 1: Syslog Protocol Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source as an identifier for events from your BIG-IP LTM appliance.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.

    You are now ready to configure your BIG-IP LTM appliance to forward syslog events to JSA.

Configuring Syslog Forwarding in BIG-IP LTM

You can configure your BIG-IP LTM device to forward syslog events.

You can configure syslog for the following BIG-IP LTM software version:

Configuring Remote Syslog for F5 BIG-IP LTM V11.x to V14.x

You can configure syslog for F5 BIG-IP LTM 11.x to V14.x.

To configure syslog for F5 BIG-IP LTM 11.x to V14.x take the following steps:

  1. Log in to the command-line of your F5 BIG-IP device.
  2. To log in to the Traffic Management Shell (tmsh), type the following command:

    tmsh

  3. To add a syslog server, type the following command:

    modify /sys syslog remote-servers add {<Name> {host <IP address> remote-port 514}}

    Where:

    • <Name> is a name that you assign to identify the syslog server on your BIG-IP LTM appliance.

    • <IP address> is the IP address of JSA.

    For example,

    modify /sys syslog remote-servers add {BIGIPsyslog {host 192.0.2.1 remote-port 514}}

  4. Save the configuration changes:

    save /sys config

    Events that are forwarded from your F5 Networks BIG-IP LTM appliance are displayed on the Log Activity tab in JSA.

Configuring Remote Syslog for F5 BIG-IP LTM V10.x

You can configure syslog for F5 BIG-IP LTM V10.x.

To configure syslog for F5 BIG-IP LTM V10.x take the following steps:

  1. Log in to the command-line of your F5 BIG-IP device.
  2. Type the following command to add a single remote syslog server:

    bigpipe syslog remote server {<Name> {host <IP address>}}

    Where:

    • <Name> is the name of the F5 BIG-IP LTM syslog source.

    • <IP address> is the IP address of JSA.

    For example:

    bigpipe syslog remote server {BIGIPsyslog {host 10.100.100.100}}

  3. Save the configuration changes:

    bigpipe save

    Note

    F5 Networks modified the syslog output format in BIG-IP V10.x to include the use of local/ before the host name in the syslog header. The syslog header format that contains local/ is not supported in JSA, but a workaround is available to correct the syslog header. For more information, see https://kb.juniper.net/KB20922.

    Events that are forwarded from your F5 Networks BIG-IP LTM appliance are displayed on the Log Activity tab in JSA.

Configuring Remote Syslog for F5 BIG-IP LTM V9.4.2 to V9.4.8

You can configure syslog for F5 BIG-IP LTM V9.4.2 to V9.4.8.

To configure syslog for F5 BIG-IP LTM V9.4.2 to V9.4.8 take the following steps:

  1. Log in to the command-line of your F5 BIG-IP device.
  2. Type the following command to add a single remote syslog server:

    bigpipe syslog remote server <IP address>

    Where: <IP address> is the IP address of JSA.

    For example:

    bigpipe syslog remote server 192.0.2.1

  3. Type the following to save the configuration changes:

    bigpipe save

    The configuration is complete. Events that are forwarded from your F5 Networks BIG-IP LTM appliance are displayed on the Log Activity tab in JSA.