Forum Discussion

Marvin_129795's avatar
Marvin_129795
Icon for Nimbostratus rankNimbostratus
Aug 27, 2015

Syslog Arcsight and remote destination Syslog combined

Hi All,

 

I have a Big IP LTM + ASM installed. Within the ASM I have a logging profile configured that sends the ASM logs in CEF format to Arcsight that works perfect.

 

I also have a standard Syslog destination configured in the System menu with the same remote log destination, because I also want standard Syslog information to be send to the same Syslog server.

 

The problem is that it just does not work. If I generate some logs by shutting down a pool there is no traffic sent to the Syslog server. The very strange thing is when I change the IP to another IP that is different than the Arcsight IP it is being sent.

 

So it seems like if you are not able to combine a ASM syslog CEF and a normal Syslog destination using the same IP destination.

 

I also tried to restart the syslog-ng daemon but that also did not fix the problem.

 

Does someone has an explanation for this?

 

  • The ASM logging profile might be looking up the routing for the syslog IP in the tmm route-table.

     

    The syslogd is sending syslogs from the management-ip and lookuping up the route in "tmsh sys management-route"

     

    A tcpdump would help pinpoint the issue.

     

    cheers.

     

  • Marvin's avatar
    Marvin
    Icon for Cirrocumulus rankCirrocumulus

    Hi Amit,

     

    You are totally right. I was using tcpdump with the option -i 0.0 but that didn’t capture the management packets. So when I started to capture specifically the management interface I did see the traffic.

     

    Case closed.

     

    Thanks