F5 BIG-IP Log Events Input

This is a Graylog Enterprise feature and is only available since Graylog v5.0.4. A valid Graylog Enterprise license is required.

F5 BIG-IP is a family of software and hardware products that focus on application availability, access control, and security solutions. The Graylog F5 BIG-IP Log Events input can retrieve the following types of BIG-IP logs. See the corresponding F5 documentation for additional information.

Log Types

daemon: Unix daemon logs
gtm: BIG-IP GTM logs
kernel: Linux kernel messages
ltm: BIG-IP LTM logs
mail: Mail daemon logs
messages: Application messages
security: Security-related messages
tmm: Traffic Manager Microkernel logs
user: Various user process logs
audit: Audits of configuration changes

Prerequisites

Application Server

An existing F5 BIG-IP system must be set up to use this input.

BIG-IP API User

Before the input can be used, a Log Manager user with an appropriate Log Manager security policy must be added. The username and password will be used to authenticate the input later in the setup. See the relevant F5 documentation:

Creating a security policy: AskF5 | Manual Chapter: Creating a Simple Security Policy
Creating a user: myF5

TLS

If your F5 system uses a self-signed certificate, it might be necessary to download the TLS certificate from the F5 server and install it in the default Java keystore. This will allow Graylog to successfully trust connections to the F5 system.

See the corresponding F5 documentation for certificate management: AskF5 | Manual Chapter: SSL Certificate Management

The following example command can be used to install an F5 TLS certificate into the default Java keystore:

Copy

sudo keytool -importcert -alias <f5-system-ip-or-hostname> -file /path/to/certificate.crt

Hint: The Graylog server must be rebooted after installing the certificate in the Java key store.

F5-BIG IP Log Events Configuration

Configure your new F5 BIG-IP input by navigating to System > Input.
Select "F5 BIG-IP Log Events" from the drop-down menu and click Launch new input.
From there, complete the following fields in the F5 BIG-IP Integrations menu to launch your input.

Store Full Message

This input supports the option to store full messages from F5 BIG-IP, which allows you to manually parse data received from all Azure log message types utilizing processing pipelines. To enable this option, select "Store Full Message" in the Advanced Options menu.

Once the input is set up, it will retrieve all specified log types each time the polling interval is used.