This quick start guide will help Accenture MDR customers configure F5® BIG-IP Local Traffic Manager (LTM) to send logs to the Log collection Platform (LCP).
The document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
F5 BIG-IP LTM | LCP | 514 (UDP) | Default port |
Configuring F5 BIG-IP LTM
Note: LTM event logs such as [ssl_acc] and [ssl_req] are unsupported by the collector, so these log types must be filtered out on the device.
To configure F5 BIG-IP LTM to send event logs to the LCP, follow the steps below:
Login to SSH using root credentials.
2. Log in to the Traffic Management Shell (tmsh) by typing the command: #tmsh
3. To send filtered log messages to remote syslog servers, type the following command: tmos)#modify /sys syslog remote-servers none
Note: The remote-servers statement needs to be removed and then a syslog "include" statement that defines a filter rule and the remote server should be entered.
4. To define the desired syslog filter that references the remote server, type the following command: (tmos)#edit /sys syslog all-properties
5. Replace the include none command line with the following filter:
Note: Add the LCP IP address and port number in the filter.
include "
filter f_remote_loghost {
level(debug..emerg);
};
filter f_ssl_acc {
not match(\"ssl_acc\");
};
filter f_ssl_req {
not match(\"ssl_req\");
};
destination d_remote_loghost {
udp(\"<lcp_ip_address>\" port(514));
};
log {
source(s_syslog_pipe);
filter(f_remote_loghost);
filter(f_ssl_acc);
filter(f_ssl_req);
destination(d_remote_loghost);
};
"
6. To exit the text editor, type Esc and then enter wq!
7. Save the configuration by typing the command: (tmos)#save /sys config
LCP Configuration Parameters
Table 1-2: The F5 BIG-IP LTM event collector (3371 – Syslog) properties to be configured by MDR are shown in the table.
Property | Default Value | Description |
Protocol | UDP | The default protocol for syslog. Note: F5 LTM does not support TCP. |
IP Address | F5 BIG-IP LTM Interface IP address | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture MDR onboarding team. |
Port Number | 514 | The default port for UDP. Note: The LCP can be configured to listen on a non-standard port, please advise the MDR onboarding team if this is a requirement. |