Friday, June 29, 2018

Oracle Linux - connect F5 to remote syslog server

Logging on Linux devices is by default local. A number of good reasons exists to ensure you have all your logs in one central location. Within a recent project the ask was to ensure all logging was done to a central Oracle Linux rsyslog server. The activation of a rsyslog server to receive all information from other Oracle Linux nodes is a trivial task.

Installing the rsyslog server can be done using a yum command ; yum install rsyslog which will take care of the most. A more interesting side of things is if you want to ensure that not only your Oracle Linux nodes report to your rsyslog server. When you have an F5 appliance you will have to make sure that you provide the details of your Oracle Linux rsyslog server to this device as well using the tmos shell.

Setting the Oracle Linux rsyslog server in the F5 can be done using a command as shown below:

modify /sys syslog remote-servers add { {host  remote-port }}

This should set the config correct. If you want to verify the new configuration you can do so using the below commmand:

# tmsh list sys syslog
sys syslog {
    include "destination d_loghost { udp(172.16.1.110 port(514) localip(172.18.1.1));}; log {source(s_syslog_pipe); filter(f_local0); destination(d_loghost);};"
}

This should ensure the basics are set to enable you to receive log traffic from your F5 on your Oracle Linux rsyslog server.