I have installed Graylog v3.0.2 server to store log from F5 BIG-IP. The F5 is running with service CGNAT. When I configured on F5 to send logs to local-syslog(F5 itself), the server can receive CGNAT logs of F5, but when I configured on F5 to send logs directly via F5 LSN CGNAT publisher, the server can not receive the logs from F5. As a result of troubleshooting using tcpdump on F5, i see that F5 sending the logs out, but when i run tcpdump on the server, I don’t see any message receive from F5.
Thank you for your reading and help advise in advance.
Sorry, but I can’t understand you.
As your post you don’t send the logs to graylog.
It seems F5 or network issue. Solve it, and continue this topic if you got the messages on the graylog server, and you don’t see the logs.
Hi macko003, Thank for your feedback. Please double read my post. Anyway,I have checked with F5 support team, they told no problem with F5 due they recommend to run tcpdump command on F5 and see logs send out. They said problem is with Graylog server.
Sorry if i have bad English made you not understand.Thanks.
Thank for your advice. Well you see port 1514 due to I use default port 514 which is lower than port 1024 and since beginning i added the below command on Graylog server to redirect port 514 to 1514
following the document Graylog: http://docs.graylog.org/en/3.0/pages/faq.html
iptables -t nat -A PREROUTING -p tcp --dport 514 -j REDIRECT --to 1514
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514
I have bad experience with forwarding port 514 through firewall, some devices had problem with it. Try to rather use direct port 1514 (or another) without iptables and setup F5 to send remote syslog to this port, if it helps.
Check if message received to graylog with tcpdump:
sudo tcpdump -A -n -vv -i ens160 port 1515
If you see tcpdump message received in graylog, but not shown in graylog, it’s probably problem with timestamp. Try to use Absolute search timerange, and setup interval from yesterday to tomorrow (future) if it find something. If there is a problem with timestamps, messages can be saved to graylog correctly, but not shown, because it’s from future.
If nothing received in tcpdump, check connection between F5 and graylog, at least iptables firewall on graylog server, if you allowed port 1515 on it.
Thank for your more information of troubleshooting, I have followed your advice and let me update as below:
Try to debug connection from F5 to graylog, if is working correctly:
–> YES, I confirm, it’s working correctly.
Send test message from F5 to graylog:
echo ‘<0>Testing LTM for connectivity’ | nc -w 1 -u graylog_server_ip 1515
–> YES, It’s successfully. Graylog received the test message and the message also appeared as screenshot below:
Check if message received to graylog with tcpdump:
—> YES! Graylog can receive message on both tcpdump and Graylog Web Interface in case option#2 above.
—> NO! Graylog can not receive anything both on tcpdump and Graylog Web Interface when I tried to send from F5 LSN CGNAT Publisher. But I would like to confirm that when I tried to send from F5 LSN CGNAT publisher as in option#1, F5 really sent to Graylog via the port 1515. I still wondering why it can not receive, is it because of amount of LSN CGNAT logs is very huge message? or What? Hmm…
If you didn’t see any output on tcpdump running on graylog box, it means nothing come to graylog box at all. It doesn’t matter, if there is a graylog running or not. Anyway you should definetely see sended data from F5 on tcpdump output running on graylog box. If not, there is a problem with connection from F5 to graylog box (linux box), not graylog service alone. Check your network and firewall settings once again…
Try to check, if F5 doesn’t still use port 514 (tcpdump will listen for ports 514 and 1515):
sudo tcpdump -nnAs0 -i ens160 port 514 or port 1515
Maybe F5 uses another destination port, protocol or source IP, which is not allowed to connect to graylog box. Try to run tcpdump on F5 LSN CGNAT Publisher and check source ip, destination ip and port and protocol UDP/TCP. If you are able, post output of tcpdump here.
