F5 BIG-IP Log Events Input

This is a Graylog Enterprise feature. A valid Graylog Enterprise license is required.

F5 BIG-IP is a family of software and hardware products that focus on application availability, access control, and security solutions. The Graylog F5 BIG-IP Log Events input can retrieve the following types of BIG-IP logs. See the corresponding F5 documentation for additional information.

Log Types

  • daemon: Unix daemon logs

  • gtm: BIG-IP GTM logs

  • kernel: Linux kernel messages

  • ltm: BIG-IP LTM logs

  • mail: Mail daemon logs

  • messages: Application messages

  • security: Security-related messages

  • tmm: Traffic Manager Microkernel logs

  • user: Various user process logs

  • audit: Audits of configuration changes

Prerequisites

Application Server

  • An existing F5 BIG-IP system must be set up to use this input.

BIG-IP API User

Before the input can be used, a Log Manager user with an appropriate Log Manager security policy must be added. The username and password will be used to authenticate the input later in the setup. See the relevant F5 documentation:

TLS

If your F5 system uses a self-signed certificate, it might be necessary to download the TLS certificate from the F5 server and install it in the default Java keystore. This will allow Graylog to successfully trust connections to the F5 system.

See the corresponding F5 documentation for certificate management: AskF5 | Manual Chapter: SSL Certificate Management

The following example command can be used to install an F5 TLS certificate into the default Java keystore:

Copy
sudo keytool -importcert -alias <f5-system-ip-or-hostname> -file /path/to/certificate.crt

Hint: The Graylog server must be rebooted after installing the certificate in the Java key store.

F5-BIG IP Log Events Configuration

  1. Configure your new F5 BIG-IP input by navigating to System > Input.

  2. Select "F5 BIG-IP Log Events" from the drop-down menu and click Launch new input.

  3. From there, complete the following fields in the F5 BIG-IP Integrations menu to launch your input.

Store Full Message

This input supports the option to store full messages from F5 BIG-IP, which allows you to manually parse data received from all Azure log message types utilizing processing pipelines. To enable this option, select "Store Full Message" in the Advanced Options menu.

Once the input is set up, it will retrieve all specified log types each time the polling interval is used.