Configure syslog server on F5 BIG-IP

Syslog servers are a great idea they centralise all your logs from your Servers and networking devices.

I used for the syslog server the following command

bigpipe syslog remote server 'syslog-srv.local-domain.com' host 10.1.1.100 add

After that everything looked fine and I saw syslog messages but I got lots of informational messages and the following debug message.

debug snmpd[PID]: error on subcontainer 'ia_addr' insert (-1)

For the debug message I found a solution on AskF5: http://support.f5.com/kb/en-us/solutions/public/12000/100/sol12136.html?sr=16487442

There is saw that I went the wrong way of configuring syslog on my load balancer, I also needed to set the log level for remote syslog server. Here the solution from F5: http://support.f5.com/kb/en-us/solutions/public/11000/700/sol11723.html

1. Log in to the command line of the BIP-IP

2. Create in /tmp/syslog.inc file with the syslog configuration.

syslog include "
filter f_remote_loghost {
level(notice..emerg);
};
destination d_loghost {
udp(\"10.1.1.100\" port(514));
};
log {
source(s_syslog_pipe);
filter(f_remote_loghost);
destination(d_loghost);
};
"

3. To remove the currently configured remote syslog servers, type the following command:
Important: This step disables all remote logging.

[root@l-ltm-ve-01:Active] tmp # b syslog remote server none

4. Copy the changes into the configuration

[root@l-ltm-ve-01:Active] tmp # bpsh < /tmp/syslog.inc

5. Refresh and start syslog deamon

[root@l-ltm-ve-01:Active] tmp # syslog-ng -s

6. Save the configuration

[root@l-ltm-ve-01:Active] tmp # b save all
/config/bigip_base.conf was renamed to /config/bigip_base.conf.bak (86 lines).
/config/bigip_sys.conf was renamed to /config/bigip_sys.conf.bak (66 lines).
/config/bigip.conf was renamed to /config/bigip.conf.bak (894 lines).
/config/bigip_local.conf was renamed to /config/bigip_local.conf.bak (1 lines).
[root@l-ltm-ve-01:Active] tmp #

If the new logging configuration is not working as expected, make the desired changes to the /tmp/syslog.inc file and return to Step 2.

When the syslog-ng -s command reports the following error message:

# syslog-ng -s syntax error at 751

Remove the syslog include entries by typing the following command:

bigpipe syslog include none

Review the import configuration for syntax errors before attempting to re-import by typing the command listed in Step 2.

F5 Load Balancer

My company decided to buy two F5 Big IP Local Traffic Manager 8950 for our web cluster systems with a maximum balanced capacity of 20 gigabit. We also got the F5 Local Traffic Manager as Virtual Edition for our test enviroment and to integrate it into the test network.

In the beginning the F5 looked very complicated but after some time now playing around with it and setting up things, it got easier and easier. I only need to have a deeper look at the iRules because this feature allows you can to really do everything with the F5 load balancer.

So for now I can’t really write more about it but I will soon  post some updates.

Next week I have the integration of the F5 Big-IP into the production network of my company and will start setting up the first new linux web cluster but only with a layer 4 balancing.

Update:

Here a nice picture of the new F5 BigIP boxes in the data center from my company:

For the new web cluster for my company we set-up layer 4 balanced web server pools and layer 7 balanced pools.

The layer 7 balancing was necessary because there where different server pools with applications that needed to run under the same domain and where routed on the expected http/https request. I will post the iRule for everybody soon.

Here two interesting ressources to get information:

Ask F5

F5 Devcentral