How to add F5 device in EventLog Analyzer
Objective
EventLog Analyzer collects logs from F5 devices using the Syslog protocol. Syslog services has to be configured in F5 Devices to have the logs forwarded to EventLog Analyzer.
This article offers you step by step instructions to add F5 Device in EventLog Analyzer.
Prerequisites
Before adding a F5 device, ensure:
- Access to F5 Device as administrator to perform syslog configuration.
- Review the listener ports of EventLog Analyzer instance in Listener Port Settings and ensure to configure the Unix/Linux device to forward the logs to the same port & protocol. (Default UDP - 514/513, TCP - 514, TLS - 513)
- Proper firewall rules in EventLog Analyzer server(inbound), Security Application(if available) and Network Firewall(if available) and Unix/Linux device (outbound) to allow the communication from F5 Device to EventLog Analyzer server.
- The F5 device hostname - IP address must be resolvable by the EventLog Analyzer server (important for DHCP-based IP changes).
- For TLS log collection, Ensure to enable HTTPs for EventLog Analyzer by applying SSL. Refer How to enable HTTPs for EventLog Analyzer
Steps to follow
Step 1: Configure Syslog service in F5 Device:
NOTE: Below steps are provided as a sample configuration. For actual configuration for your model/Version, check out with the vendor for actual syslog configuration.
To configure the Syslog service in your F5 devices, follow the steps below:
- To forward system logs:
- Login into Configuration Utility.
- Navigate to System > Logs > Configuration > Remote Logging.
- Enter the remote IP. The remote IP in this case would be EventLog Analyzer server's IP address.
- Enter the remote port number. The default remote port for EventLog Analyzer is 514.
- Click on Add.
- Click on Update.
- To forward event logs. (Ex: Firewall Events, Application Security Event)
- Create management port destination
- Login to Configuration Utility.
- Navigate to System > Logs > Configuration > Log Destinations.
- Click on Create.
- Enter a name for the log destination.
- To specify the log type, click management port.
- Enter the IP address of the EventLog Analyzer server.
- Enter the listening port of the EventLog Analyzer server. The default listening port is 514.
- For protocol, select the UDP protocol.
- Click on Finish.
- Create a formatted remote syslog destination.
- Now navigate to System > Logs > Configuration > Log Destinations.
- Click on Create.
- Enter a name for the log destination.
- To specify the log type, select remote syslog.
- Under syslog settings, set the syslog format as syslog and select the forward to management Port as the syslog destination.
- Click on Finish.
- Create a log publisher to forward the logs.
- Navigate to System > Logs > Configuration > Log Publishers.
- Click on Create.
- Enter a name for the log publisher configuration.
- In the available list, click the previously configured remote syslog destination name and move it to the selected list.
- Click on Finish.
- Create a logging profile for virtual servers.
- Navigate to Security > Event Logs > Logging Profiles.
- Click on Create.
- Enter a profile name for the logging profile.
- Then enable the Network Firewall or Application Security or Both by clicking on the checkbox.
- For network firewall event logging, follow the steps below
- Under the network firewall configuration, enter the publisher. Enter the previously configured Syslog publisher.
- Under log rule matches, click Accept, Drop, and Reject. (Note: If you do not want any logs, you can disable it).
- Leave other options in default. (Note: Storage Format should be none)
- For application security event logging, follow the below steps
- Under application security configuration, select storage destination as Remote Storage.
- Select logging format as Key-Value Pairs (Splunk).
- Select the protocol as UDP or TCP.
- Enter Eventlog Analyzer server IP address and port (513/514) and click on Add.
- Then click on Create.
- Apply Logging Profile to corresponding Virtual Server
- Now navigate to Local Traffic > Virtual Servers
- Select your virtual server to which you want to apply logging profile.
- On the top, tap on the security tab and click on the policy.
- Go to Network Firewall.
- Set Enforcement: Enabled, and select your network firewall policy.
- Under log profile, enable the log profile and select the previously configured logging profile.
- Then click on Update.
Step 2: Ensure to allow communication from F5 Device to EventLog Analyzer server over the ports that are listened by EventLog Analyzer for syslog configuration. You can check or reconfigure the listened ports in Listener Port Settings
Step 3: Check if the logs have reached the EventLog Analyzer server using Log Receiver or built-in packet capture tool.
Step 4: Once the packet reaches EventLog Analyzer server and if the Local Firewall or Security Applications allow the traffic over the listener ports, the log packets will be collected by the application.
Step 5: The device will be added automatically in the application with the device name by resolving the DNS. You can locate the device name in Settings >> Log Source Configuration >> Devices >> Syslog device.
Step 6: If the device name exists already as Syslog Device, collected logs will be auto mapped to the same entry.
Verification
To confirm that the device is added and logs are collected:
- Go to Search → Log Search in EventLog Analyzer.
- Select the device from the list and search for incoming logs.
Tips
1. How does a device name is determined during initial auto addition once syslog packet reaches EventLog Analyzer ?
The value/name that you are able to see in the User interface is "Display name" which will be same as device name value initially. Display name can be changed based on requirement using Update device option.
Device name value will be auto identified based on the source information available in the syslog packet and DNS resolution. There are two scenarios with two cases.
Scenario 1: Source information has Hostname of Syslog device. EventLog Analyzer attempts to resolve with DNS to get the IP address.
Case 1: EventLog Analyzer server is able to resolve the Hostname with IP address using DNS.
Device will be added with "Device name" value as "Hostname" and "IP address" value with its "IP address"
Case 2: EventLog Analyzer server is unable to resolve the Hostname with IP address using DNS. (Due to unavailablity of DNS server or internal DNS resolution issue)
Device will be added with "Device name" value as "Hostname" and "IP address" value with its "Device name"
Scenario 2: Source Information has IP address of Syslog device. EventLog Analyzer attempts to resolve with DNS to get the Hostname.
Case 1: EventLog Analyzer server is able to resolve the IP address with Hostname using DNS.
Device will be added with "Device name" value as "Hostname" and "IP address" value with its "IP address"
Case 2: EventLog Analyzer server is unable to resolve the IP Address with Hostname using DNS.
Device will be added with "Device name" value as "IP Address" and "IP address" value with the "IP address"
2. If multiple devices forward logs via a relay server, EventLog Analyzer uses the hostname from syslog packets to differentiate devices.
How it works:
Prerequisite: Forwarded syslogs should adhere to standard RFC 3164 and the corresponding Relay server configuration must be enabled in EventLog Analyzer.
Sample Log - <34>Oct 18 22:00:15 rootmachine su: 'su root' failed for test on /dev/pts/
NOTE: The hostname ( rootmachine ) is parsed from the syslog packet and the syslog device is added with the hostname.
- If the hostname is already present in the database, then the logs will be mapped to that device.
- The syslog device can be Unix, F5, F5, Palto Alto,etc.
3. When the IP addresses of syslog devices change frequently due to DHCP, a new device is added with a new IP address whenever the IP changes and if the name cannot be resolved.
How it works:
Prerequisite: Forwarded syslogs from all the syslog devices to Eventlog Analyzer should adhere to standard RFC 3164 and the corresponding DHCP configuration must be enabled in EventLog Analyzer.
Sample Log - <34>Oct 18 22:00:15 rootmachine su: 'su root' failed for test on /dev/pts/8
NOTE: The hostname( rootmachine ) is parsed from the syslog packet and the syslog device is added with the hostname.
- If the hostname is already present in the database, then the logs will be mapped to the respective device.
- Ensure to configure syslog service using EventLog Analyzer hostname/IP address which ever is static.
New to ADSelfService Plus?
Related Articles
How to add Topsec device in EventLog Analyzer
Objective EventLog Analyzer collects logs from Topsec devices using the Syslog protocol. Syslog services has to be configured in Topsec Devices to have the logs forwarded to EventLog Analyzer. This article offers you step by step instructions to add ...How to add HP-UX/Solaris/AIX device in EventLog Analyzer
Objective EventLog Analyzer collects logs from HP-UX/Solaris/AIX devices using the Syslog protocol. Syslog services has to be configured in HP-UX/Solaris/AIX Devices to have the logs forwarded to EventLog Analyzer. This article offers you step by ...How to create a custom Device Group in EventLog Analyzer
Objective This article offers detailed information on how to create a Custom Device Group in EventLog Analyzer. Prerequisites Need access to EventLog Analyzer console with an administrator role or a role with delegated Manage Device Group permission. ...How to add a print server in EventLog Analyzer
Objective This document outlines the procedure for integrating a print server with ManageEngine EventLog Analyzer. Monitoring print servers is essential for maintaining operational efficiency and safeguarding against unauthorized data access. By ...Enabling historic log collection in EventLog Analyzer
EventLog Analyzer collects all the logs present in the Windows Event Viewer (i.e., Windows Logs > Application, Security, System) when the historic log collection option is enabled. To enable historic log collection, follow the steps below: Navigate ...