Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This quick start guide will help Accenture MDR customers configure F5® BIG-IP Local Traffic Manager (LTM) to send logs to the Log collection Platform (LCP).

The document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

F5 BIG-IP LTM

LCP

514 (UDP)

Default port

Configuring F5 BIG-IP LTM

 Note: LTM event logs such as [ssl_acc] and [ssl_req] are unsupported by the collector, so these log types must be filtered out on the device.

To configure F5 BIG-IP LTM to send event logs to the LCP, follow the steps below: 

  1. Login to SSH using root credentials.

2. Log in to the Traffic Management Shell (tmsh) by typing the command: #tmsh 

3. To send filtered log messages to remote syslog servers, type the following command:​ tmos)#modify /sys syslog remote-servers none 

Note: The remote-servers statement needs to be removed and then a syslog "include" statement that defines a filter rule and the remote server should be entered.

4. To define the desired syslog filter that references the remote server, type the following command: (tmos)#edit /sys syslog all-properties     

5. Replace the include none command line with the following filter:

 Note: Add the LCP IP address and port number in the filter.

 

include "

filter f_remote_loghost {

level(debug..emerg);

};

filter f_ssl_acc {

not match(\"ssl_acc\");

};

filter f_ssl_req {

not match(\"ssl_req\");

};

destination d_remote_loghost {

udp(\"<lcp_ip_address>\" port(514));

};

log {

source(s_syslog_pipe);

filter(f_remote_loghost);

filter(f_ssl_acc);

filter(f_ssl_req);

destination(d_remote_loghost);

};

"

6. To exit the text editor, type Esc and then enter wq!

7. Save the configuration by typing the command: (tmos)#save /sys config

LCP Configuration Parameters

Table 1-2: The F5 BIG-IP LTM event collector (3371 – Syslog) properties to be configured by MDR are shown in the table.

Property

Default Value

Description

Protocol

UDP

The default protocol for syslog.

Note: F5 LTM does not support TCP.

IP Address

F5 BIG-IP LTM Interface IP address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the Accenture MDR onboarding team.

Port Number

514

The default port for UDP.

Note: The LCP can be configured to listen on a non-standard port, please advise the MDR onboarding team if this is a requirement.

 

  • No labels