BIG-IP Remote Logging

Your customer would like to integrate BIG-IP system messages with their central logging system, to be processed by their correlation software. They would like you to send mcpd informational messages (to external logging server(s)).

Configuring a logging pool

Create a pool with the logging server(s). This will be the destination for high speed logging. You will be logging to syslog_ng over TCP port 514. You will be using a combination of an inband monitor and an active monitor to determine the log server’s availability. This monitor will combination will reduce network activity and superfluous log messages to the syslog server.

Configure the Logging Pool.

Because the syslog server is using the TCP protocol, we can use inband monitors. Create an inband monitor named syslog_inband and use the default configuration.

Create an active TCP monitor named syslog_active and set the Up Interval to 180 seconds.

This monitor will poll the syslog server every three minutes while the inband monitor is showing the server available. If the server goes down, it will be polled every 5 seconds.

Note

The purpose of the monitors is to reduce logging to the syslog server, which will log the monitor request as they come in. The inband monitor will use message traffic the monitor the syslog server without generating message traffic, but if the syslog server goes down the active monitor will return it to service much faster than the default inband timeout.

Create a logging pool named logging_pool, with the syslog_inband, syslog_active monitors and the member 10.1.20.252:514.

Configure the logging destinations

Remember at least two log destinations need to be created. The first one will be the High Speed Logging (HSL) Destination where the messages will be sent (the Logging_Pool you just created) and the protocol that will be used, TCP or UDP. The second Log Destination created will specify the message format and the HSL Destination where formatted messages go too.

High Speed Logging (HSL) Log Destination

First you will create a Log Destination to tell the BIG-IP where to send the log messages and the protocol to use.

Note

The reason we have to define an HSL destination is because the is no way to assign a protocol to a pool.

Go to System > Logs > Configurations > Log Destinations and create a HSL destination named hsl_logging_dest of a type Remote High-Speed Log and the pool name is logging_pool

Formatted Log Destination

This log destination will be used to format the log output. You are sending the messages to a syslogng server, so you will want them in a syslog format. You will send the formatted log events to the HSL Log Destination you created earlier.

In Logging Destinations select Create and build a formatted destination named formatted_dest with a type of Remote Syslog and with the Syslog Format of Syslog and the High Speed Log Destination set to hsl_logging_dest.

Log Publisher and Filtering Messages

The log publisher is a way to associate individual or multiple log destinations to a logging profile. In this case, any messages through this publisher will go to local log files and the remote logs via formatted_dest.

Go to System > Logs > Configurations > Log Publishers and select Create.

Name: logging_pub

Destinations: Move formatted_dest and local-syslog to the Selected box.

Select Finished when done.

This step created a log publisher that will send Syslog formatted events to a remote server, the local database, and the local syslog. Normally you wouldn’t want to go to all three, but this is one way to show how BIG-IP can send to multiple destinations for demonstration purposes. And while you can log everything off the BIG-IP you will probably want some local logging available, so you can log on to the BIG-IP and check events without going through the syslog server.

System Logging Filter

Now you will create a system logging filter. This will demonstrate how we can log systems events off box, as well as on box. We do NOT want to take the defaults as logging down to the debug level would cause the BIG-IP to drop log messages and could fill up the log files to the point where the BIG-IP runs out of disk space. You are going to send informational messages from the MCPd daemon to the published destinations.

Go to System > Log > Configuration > Log Filters and select Create
  • Name: my-mcpd-filter
  • Severity: Informational
  • Source: mcpd
  • Log Publisher: logging_pub

Test your logging configuration

Generate and view a mcpd event.

SSH to the syslog-ng server at 10.1.1.252 (credentials are root/default)..

Watch the bigip.log syslog file for your events:

tail -f /var/log/syslog | grep bigip

Go to Local Traffic > Pools and select the www_pool. Disable one of the pool members.

Q1. Did you see messages on the syslog servers?