F5 Networks BIG-IP LTM
The F5 Networks BIG-IP Local Traffic Manager (LTM) DSM for JSA collects networks security events from a BIG-IP device by using syslog.
Before events can be received in JSA, you must configure a log source for JSA, then configure your BIG-IP LTM device to forward syslog events. Create the log source before events are forwarded as JSA does not automatically discover or create log sources for syslog events from F5 BIG-IP LTM appliances.
Syslog Log Source Parameters for F5 Networks BIG-IP LTM
Add a F5 Networks BIG-IP LTM log source on the JSA Console by using the syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect syslog events from F5 Networks BIG-IP LTM:
Table 1: Syslog Log Source Parameters for the F5 Networks BIG-IP LTM DSM
Parameter | Value |
|---|---|
Log Source type | F5 Networks BIG-IP LTM |
Protocol Configuration | Syslog |
Log Source Identifier | Type the IP address or host name for the log source as an identifier for events from your F5 Networks BIG-IP LTM devices. |
Configuring Syslog Forwarding in BIG-IP LTM
You can configure your BIG-IP LTM device to forward syslog events.
You can configure syslog for the following BIG-IP LTM software version:
Configuring Remote Syslog for F5 BIG-IP LTM V11.x to V14.x
Configuring Remote Syslog for F5 BIG-IP LTM V10.x
Configuring Remote Syslog for F5 BIG-IP LTM V9.4.2 to V9.4.8
Configuring Remote Syslog for F5 BIG-IP LTM V11.x to V14.x
You can configure syslog for F5 BIG-IP LTM 11.x to V14.x.
To configure syslog for F5 BIG-IP LTM 11.x to V14.x take the following steps:
- Log in to the command-line of your F5 BIG-IP device.
- To log in to the Traffic Management Shell (tmsh), type
the following command:
tmsh
- To add a syslog server, type the following command:
modify /sys syslog remote-servers add {<Name> {host <IP address> remote-port 514}}
Where:
<Name> is a name that you assign to identify the syslog server on your BIG-IP LTM appliance.
<IP address> is the IP address of JSA.
For example,
modify /sys syslog remote-servers add {BIGIPsyslog {host 192.0.2.1 remote-port 514}} - Save the configuration changes:
save /sys config
Events that are forwarded from your F5 Networks BIG-IP LTM appliance are displayed on the Log Activity tab in JSA.
Configuring Remote Syslog for F5 BIG-IP LTM V10.x
You can configure syslog for F5 BIG-IP LTM V10.x.
To configure syslog for F5 BIG-IP LTM V10.x take the following steps:
- Log in to the command-line of your F5 BIG-IP device.
- Type the following command to add a single remote syslog
server:
bigpipe syslog remote server {<Name> {host <IP address>}}
Where:
<Name> is the name of the F5 BIG-IP LTM syslog source.
<IP address> is the IP address of JSA.
For example:
bigpipe syslog remote server {BIGIPsyslog {host 10.100.100.100}}
- Save the configuration changes:
bigpipe save
Note F5 Networks modified the syslog output format in BIG-IP V10.x to include the use of
local/before the host name in the syslog header. The syslog header format that containslocal/is not supported in JSA, but a workaround is available to correct the syslog header. For more information, see https://kb.juniper.net/KB20922.Events that are forwarded from your F5 Networks BIG-IP LTM appliance are displayed on the Log Activity tab in JSA.
Configuring Remote Syslog for F5 BIG-IP LTM V9.4.2 to V9.4.8
You can configure syslog for F5 BIG-IP LTM V9.4.2 to V9.4.8.
To configure syslog for F5 BIG-IP LTM V9.4.2 to V9.4.8 take the following steps:
- Log in to the command-line of your F5 BIG-IP device.
- Type the following command to add a single remote syslog
server:
bigpipe syslog remote server <IP address>
Where: <IP address> is the IP address of JSA.
For example:
bigpipe syslog remote server 192.0.2.1 - Type the following to save the configuration changes:
bigpipe save
The configuration is complete. Events that are forwarded from your F5 Networks BIG-IP LTM appliance are displayed on the Log Activity tab in JSA.