Manual Chapter : Configuring Remote High-Speed Logging

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP Analytics

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP Link Controller

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP LTM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP PEM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP AFM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP DNS

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP ASM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Manual Chapter

Configuring Remote High-Speed Logging

Overview: Configuring high-speed remote logging

You can configure the BIG-IP system to log information about BIG-IP system processes and send the log messages to remote high-speed log servers. You can filter the data that the system logs based on alert-level and source.
This illustration shows the association of the configuration objects for remote high-speed logging of BIG-IP system processes.
Association of remote high-speed logging configuration objects
Associations between remote high-speed logging configuration objects

Task summary

Perform these tasks to configure BIG-IP system logging.
Enabling remote high-speed logging impacts BIG-IP system performance.

About the configuration objects of high-speed remote logging

When configuring remote high-speed logging of BIG-IP system processes, it is helpful to understand the objects you need to create and why, as described here:
Object
Reason
Applies to
Pool of remote log servers
Create a pool of remote log servers to which the BIG-IP system can send log messages.
Creating a pool of remote logging servers.
Destination (unformatted)
Create a log destination of Remote High-Speed Log type that specifies a pool of remote log servers.
Creating a remote high-speed log destination.
Destination (formatted)
If your remote log servers are the ArcSight, Splunk, IPFIX, or Remote Syslog type, create an additional log destination to format the logs in the required format and forward the logs to a remote high-speed log destination.
Creating a formatted remote high-speed log destination.
Publisher
Create a log publisher to send logs to a set of specified log destinations.
Creating a publisher.
Filter
Create a log filter to define the messages to be included in the BIG-IP system logs and associate a log publisher with the filter.
Creating a logging filter.

Create a pool of remote logging servers

Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the pool. Ensure that the remote log servers are configured to listen to and receive log messages from the BIG-IP system.
Create a pool of remote log servers to which the BIG-IP system can send log messages.
  1. At the top of the screen, click
    Configuration
    .
  2. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  3. Click
    Create
    .
    The New Pool screen opens.
  4. In the
    Name
    field, type a unique name for the pool.
  5. Using the
    New Members
    setting, add the IP address for each remote logging server that you want to include in the pool:
    1. Type an IP address in the
      Address
      field, or select a node address from the
      Node List
      .
    2. Type a service number in the
      Service Port
      field, or select a service name from the list.
      Typical remote logging servers require port
      514
      .
    3. Click
      Add
      .
  6. Click
    Finished
    .

Create a remote high-speed log destination

Before creating a remote high-speed log destination, ensure that at least one pool of remote log servers exists on the BIG-IP system.
Create a log destination of the
Remote High-Speed Log
type to specify that log messages are sent to a pool of remote log servers.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Destinations
    .
    The Log Destinations screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique, identifiable name for this destination.
  4. From the
    Type
    list, select
    Remote High-Speed Log
    .
    If you use log servers such as Remote Syslog, Splunk, or ArcSight, which require data be sent to the servers in a specific format, you must create an additional log destination of the required type, and associate it with a log destination of the
    Remote High-Speed Log
    type. With this configuration, the BIG-IP system can send data to the servers in the required format.
    The BIG-IP system is configured to send an unformatted string of text to the log servers.
  5. From the
    Pool Name
    list, select the pool of remote log servers to which you want the BIG-IP system to send log messages.
  6. From the
    Protocol
    list, select the protocol used by the high-speed logging pool members.
  7. Click
    Finished
    .

Create a formatted remote high-speed log destination

Ensure that at least one remote high-speed log destination exists on the BIG-IP system.
Create a formatted logging destination to specify that log messages are sent to a pool of remote log servers, such as Remote Syslog, Splunk, or IPFIX servers.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Destinations
    .
    The Log Destinations screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique, identifiable name for this destination.
  4. From the
    Type
    list, select a formatted logging destination, such as
    Remote Syslog
    ,
    Splunk
    , or
    IPFIX
    .
    The Splunk format is a predefined format of key value pairs.
    The BIG-IP system is configured to send a formatted string of text to the log servers.
  5. If you selected
    Remote Syslog
    , then from the
    Syslog Format
    list select a format for the logs, and then from the
    High-Speed Log Destination
    list, select the destination that points to a pool of remote Syslog servers to which you want the BIG-IP system to send log messages.
    For logs coming from Access Policy Manager (APM), only the BSD Syslog format is supported.
  6. If you selected
    Splunk
    or
    IPFIX
    , then from the
    Forward To
    list, select the destination that points to a pool of high-speed log servers to which you want the BIG-IP system to send log messages.
  7. Click
    Finished
    .

Create a publisher

Ensure that at least one destination associated with a pool of remote log servers exists on the BIG-IP system.
Create a publisher to specify where the BIG-IP system sends log messages for specific resources.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Publishers
    .
    The Log Publishers screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique, identifiable name for this publisher.
  4. For the
    Destinations
    setting, select a destination from the
    Available
    list, and click
    <<
    to move the destination to the
    Selected
    list.
    If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or ArcSight.
  5. Click
    Finished
    .

Creating a logging filter

Ensure that at least one log publisher is configured on the BIG-IP system.
Create a custom log filter to specify the system log messages that you want to publish to a particular log.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Filters
    .
    The Log Filters screen opens.
  2. In the
    Name
    field, type a unique, identifiable name for this filter.
  3. From the
    Severity
    list, select the level of alerts that you want the system to use for this filter.
    The severity level that you select includes all of the severity levels that display above your selection in the list. For example, if you select
    Emergency
    , the system publishes only emergency messages to the log. If you select
    Critical
    , the system publishes critical, alert, and emergency-level messages in the log.
  4. From the
    Source
    list, select the system processes from which messages will be sent to the log.
  5. In the
    Message ID
    field, type the first eight hex-digits of the specific message ID that you want the system to include in the log. Use this field when you want a log to contain only each instance of one specific log message.
    BIG-IP system log messages contain message ID strings in the format:
    xxxxxxxx:x:
    . For example, in this log message:
    Oct 31 11:06:27 olgavmmgmt notice mcpd[5641]: 01070410:5: Removed subscription with subscriber id lind
    , the message ID string is:
    01070410:5:
    . You enter only the first eight hex-digits:
    01070410
    .
  6. From the
    Log Publisher
    list, select the publisher that includes the destinations to which you want to send log messages.
  7. Click
    Finished
    .

Disabling system logging

When you no longer want the BIG-IP system to log information about its internal systems, you can delete the log filter that you created. For example, when mitigating a DoS attack, if you created a log filter that includes only one specific message in the log, you can delete that log filter once you handle the attack.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Filters
    .
    The Log Filters screen opens.
  2. Select the check box next to the name of the log filter that you want to delete. Click
    Delete
    , and then click
    Delete
    again.

Troubleshooting logs that contain unexpected messages

If you configured a filter to send all instances of a specific message ID to your remote logging servers and this message ID is still displaying in the local log in the BIG-IP system, you can disable legacy log message processing in order to display instances of this message ID only on the remote logging servers.
When you create a filter that disables legacy log message processing, the legacy logs are completely disabled. Therefore, you must also create a filter for every source from which you want log messages to be sent to the pool of remote log servers.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Filters
    .
    The Log Filters screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique, identifiable name for this filter.
  4. From the
    Severity
    list, select
    Debug
    .
  5. From the
    Source
    list, select
    All
    .
  6. From the
    Log Publisher
    list, select
    None
    .
  7. Click
    Finished
    .