Click here to expand

    Configuration steps for Syslog forwarding from F5 devices to EventLog Analyzer

    1. To forward system logs:
      • Login into Configuration Utility.
      • Navigate to System > Logs > Configuration > Remote Logging.
      • Enter the remote IP. The remote IP in this case would be EventLog Analyzer server's IP address.
      • Enter the remote port number. The default remote port for EventLog Analyzer is 514.
      • Click on Add.
      • Click on Update.
    2. To forward event logs. (Ex: Firewall Events, Application Security Event)
      • Create management port destination
        1. Login to Configuration Utility.
        2. Navigate to System > Logs > Configuration > Log Destinations.
        3. Click on Create.
        4. Enter a name for the log destination.
        5. To specify the log type, click management port.
        6. Enter the IP address of the EventLog Analyzer server.
        7. Enter the listening port of the EventLog Analyzer server. The default listening port is 514.
        8. For protocol, select the UDP protocol.
        9. Click on Finish.
      • Create a formatted remote syslog destination.
        1. Now navigate to System > Logs > Configuration > Log Destinations.
        2. Click on Create.
        3. Enter a name for the log destination.
        4. To specify the log type, select remote syslog.
        5. Under syslog settings, set the syslog format as syslog and select the forward to management Port as the syslog destination.
        6. Click on Finish.
      • Create a log publisher to forward the logs.
        1. Navigate to System > Logs > Configuration > Log Publishers.
        2. Click on Create.
        3. Enter a name for the log publisher configuration.
        4. In the available list, click the previously configured remote syslog destination name and move it to the selected list.
        5. Click on Finish.
      • Create a logging profile for virtual servers.
        1. Navigate to Security > Event Logs > Logging Profiles.
        2. Click on Create.
        3. Enter a profile name for the logging profile.
        4. Then enable the Network Firewall or Application Security or Both by clicking on the checkbox.
          • For network firewall event logging, follow the steps below
            1. Under the network firewall configuration, enter the publisher. Enter the previously configured Syslog publisher.
            2. Under log rule matches, click Accept, Drop, and Reject. (Note: If you do not want any logs, you can disable it).
            3. Leave other options in default. (Note: Storage Format should be none)
          • For application security event logging, follow the below steps
            1. Under application security configuration, select storage destination as Remote Storage.
            2. Select logging format as Key-Value Pairs (Splunk).
            3. Select the protocol as UDP or TCP.
            4. Enter Eventlog Analyzer server IP address and port (513/514) and click on Add.
        5. Then click on Create.
      • Apply Logging Profile to corresponding Virtual Server
        1. Now navigate to Local Traffic > Virtual Servers
        2. Select your virtual server to which you want to apply logging profile.
        3. On the top, tap on the security tab and click on the policy.
        4. Go to Network Firewall.
        5. Set Enforcement: Enabled, and select your network firewall policy.
        6. Under log profile, enable the log profile and select the previously configured logging profile.
        7. Then click on Update.

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try onboarding

       
    Get download link