F5 BIG-IP Log Events Input
This is a Graylog Enterprise feature. A valid Graylog Enterprise license is required.
F5 BIG-IP is a family of software and hardware products that focus on application availability, access control, and security solutions. The Graylog F5 BIG-IP Log Events input can retrieve the following types of BIG-IP logs. See the corresponding F5 documentation for additional information.
Log Types
-
daemon
: Unix daemon logs -
gtm
: BIG-IP GTM logs -
kernel
: Linux kernel messages -
ltm
: BIG-IP LTM logs -
mail
: Mail daemon logs -
messages
: Application messages -
security
: Security-related messages -
tmm
: Traffic Manager Microkernel logs -
user
: Various user process logs -
audit
: Audits of configuration changes
Prerequisites
Application Server
-
An existing F5 BIG-IP system must be set up to use this input.
BIG-IP API User
Before the input can be used, a Log Manager user with an appropriate Log Manager security policy must be added. The username and password will be used to authenticate the input later in the setup. See the relevant F5 documentation:
-
Creating a security policy: AskF5 | Manual Chapter: Creating a Simple Security Policy
-
Creating a user: myF5
TLS
If your F5 system uses a self-signed certificate, it might be necessary to download the TLS certificate from the F5 server and install it in the default Java keystore. This will allow Graylog to successfully trust connections to the F5 system.
See the corresponding F5 documentation for certificate management: AskF5 | Manual Chapter: SSL Certificate Management
The following example command can be used to install an F5 TLS certificate into the default Java keystore:
sudo keytool -importcert -alias <f5-system-ip-or-hostname> -file /path/to/certificate.crt
F5-BIG IP Log Events Configuration
-
Configure your new F5 BIG-IP input by navigating to System > Input.
-
Select "F5 BIG-IP Log Events" from the drop-down menu and click Launch new input.
-
From there, complete the following fields in the F5 BIG-IP Integrations menu to launch your input.
Store Full Message
This input supports the option to store full messages from F5 BIG-IP, which allows you to manually parse data received from all Azure log message types utilizing processing pipelines. To enable this option, select "Store Full Message" in the Advanced Options menu.
Once the input is set up, it will retrieve all specified log types each time the polling interval is used.