F5 BIG-IP Log Events Input

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

F5 BIG-IP is a family of software and hardware products that focus on application availability, access control, and security solutions. The F5 BIG-IP Log Events Input allows Graylog to securely collect system, application, and security logs directly from BIG-IP management servers. See the F5 documentation for additional information.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • An existing F5 BIG-IP system must be set up to use this input.

Supported Log Types

This input supports collecting the following log types:

  • daemon: Unix daemon logs

  • gtm: BIG-IP GTM logs

  • kernel: Linux kernel messages

  • ltm: BIG-IP LTM logs

  • mail: Mail daemon logs

  • messages: Application messages

  • security: Security-related messages

  • tmm: Traffic Manager Microkernel logs

  • user: Various user process logs

  • audit: Audits of configuration changes

Required Third-Party Setup

To enable integration, complete the following required setup with your third-party service:

Required Configuration Values

In your third-party configuration, make note of the following values that are required when configuring the input in Graylog:

  • The username and password will be used to authenticate the input later in the setup.

Input Type

This input is a pull input type. See Inputs to learn about input types.

Input Configuration

Follow the input setup instructions. During setup of this input, you can configure the following options:

Configuration Option Description

Input Name

Provide a unique name for your new input.
Management Server Host The hostname or IP address of the F5 BIG-IP management server from which logs will be collected.
User Name Username with sufficient privileges to access the F5 BIG-IP log API.
Password Password for the user account specified above. Used for authentication.
Log Types to Collect Specify which log categories to retrieve (e.g., system, application, security).
Polling Interval The frequency (in seconds) at which Graylog polls the F5 BIG-IP for new log data.
Enable Throttling When enabled, limits the rate of requests to avoid overloading the BIG-IP system.
Store Full Message

Determines whether the full raw log message is stored in Graylog or only parsed fields.
Disable TLS Validation Skips TLS/SSL certificate validation. Useful for self-signed certificates, but less secure.

Install the F5 TLS Certificate in the Java Keystore

If your F5 system uses a self-signed certificate, it may be necessary to download the TLS certificate from the F5 server and install it in the default Java keystore. This will allow Graylog to successfully trust connections to the F5 system.

See the F5 documentation for certificate management: AskF5 | Manual Chapter: SSL Certificate Management.

The following example command can be used to install an F5 TLS certificate into the default Java keystore:

Copy 
sudo keytool -importcert -alias <f5-system-ip-or-hostname> -file /path/to/certificate.crt

Hint: The Graylog server must be rebooted after installing the certificate in the Java key store.

Next Steps

After you complete input setup, visit Input Diagnosis for testing and validation of the new input. Use this functionality to help troubleshoot any connection issues.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: