--> Maintaining and Verifying the log messages is the important task of the F5 Administrator.
--> The log messages can contain information ranging from linux events, Local Traffic , Global traffic and others.
--> In BIG IP System, You can store the log messages in two locations:
i) Local to BIG IP System
ii) Remote Syslog Server
--> Local logging is done on the BIG IP system using Linux syslog-ng and the log data is stored local to the BIG IP System.
--> Remote Logging implemented on the BIG IP system using either Linux Syslog-ng or TMOS and the log data is stored on remote syslog servers.
--> If the Remote Logging is implemented on the BIG IP system using TMOS then it is called as High Speed Logging whereas if it is implemented by using Linux Syslog-ng then it is called as Legacy logging.
Legacy Logging:
--> Logging is done by using syslog-ng.
--> We can configure in a such way that the log messages can be forwarded to one remote syslog server or multiple remote syslog servers.
--> Navigate to System > Logs > Configuration > Remote Logging to configure the Remote Syslog server IP address.
--> By default syslog-ng sends the log messages on UDP port number 514 of the Remote Syslog Server.
High Speed Logging:
--> Logging is done by using TMSH.
--> Below are the components used under High Speed Logging:
i) Log Filters
ii) Log Publishers
iii) Log Destinations
--> We need to create the filters to identify what kind of log messages needs to be sent on the Remote Syslog Server.
--> The filters can be created based upon below criteria:
i) Which service is sending the log message( gtmd,big3d,tmm etc)
ii) What is the severity level of the log message ( Notice, Informational, Debug etc)
iii) The Log ID number
--> For example, We can create a filter such as to send only log messages which are generated by gtmd or send only log messages which are having the severity level of notice.
--> Publishers are nothing but one or more remote syslog servers that can be one of the follow:
i) Normal Syslog Server
ii) Splunk
iii) ArcSight
iv) IPFIX
--> If the Publisher is Normal Syslog server then the TMSH sends the log without parsing the format to the remote syslog server.
--> If the Publisher is Splunk or ArcSight then the TMSH formats the log message according to selected remote syslog server and sends the logs to them once they are formatted.
--> Once you are aware of the publisher type then you have to create a log pool with one or more remote syslog servers.
Implementation Steps:
i) Create a Pool of Remote Syslog servers by navigating to Local Traffic > Pools > Pool_Syslog
ii) Configure Log Destination by navigating to System > Logs > Configuration > Log Destination
iii) Configure Log Publisher
iv) Configure Log Filter
0 comments:
Post a Comment