Forum Discussion

Marvin_129795's avatar
Icon for Nimbostratus rankNimbostratus
Aug 27, 2015

Syslog Arcsight and remote destination Syslog combined

Hi All,


I have a Big IP LTM + ASM installed. Within the ASM I have a logging profile configured that sends the ASM logs in CEF format to Arcsight that works perfect.


I also have a standard Syslog destination configured in the System menu with the same remote log destination, because I also want standard Syslog information to be send to the same Syslog server.


The problem is that it just does not work. If I generate some logs by shutting down a pool there is no traffic sent to the Syslog server. The very strange thing is when I change the IP to another IP that is different than the Arcsight IP it is being sent.


So it seems like if you are not able to combine a ASM syslog CEF and a normal Syslog destination using the same IP destination.


I also tried to restart the syslog-ng daemon but that also did not fix the problem.


Does someone has an explanation for this?


  • The ASM logging profile might be looking up the routing for the syslog IP in the tmm route-table.


    The syslogd is sending syslogs from the management-ip and lookuping up the route in "tmsh sys management-route"


    A tcpdump would help pinpoint the issue.




  • Marvin's avatar
    Icon for Cirrocumulus rankCirrocumulus

    Hi Amit,


    You are totally right. I was using tcpdump with the option -i 0.0 but that didn’t capture the management packets. So when I started to capture specifically the management interface I did see the traffic.


    Case closed.

