How to add Graylog behind F5 BIG-IP

I installed Graylog on one node and received syslog without any problem.

For security reasons I want Graylog behind F5 with HTTPs offload I added the server to pool with port 9000 and when I go to it through F5 it show me blank screen.

Any reason why this is happening?

Check for server.conf parameters:

  • http_bind_address
  • http_publish_uri
  • http_external_uri
  • http_enable_cors

https://docs.graylog.org/en/4.0/pages/configuration/server.conf.html#web-rest-api

I changed these parameters:

http_bind_address = Local server IP
http_publish_uri = URL point to F5 VS
http_external_uri = URL point to F5 VS

Still doesn’t work

Hello,
Could you show in greater detail your Graylog configurations. This would help us, help you better troubleshooting your issue.
Also what have you tried so far to resolve this issue?

Thanks

Hello gsmith,

My setup as follow

  1. One VM with Graylog installed.
  2. Add VM IP with port 9000 behind F5.
  3. DNS record point to F5.
  4. Changed http_bind_address to VM IP.

My guess I have a problem with mixed content but not sure.

I might have to agree with you, but its hard to tell from my side. We would need to see configuration, logs, etc… or anything to help troubleshoot your issue. Personally I have not used F5 but Im assuming its some type of Firewall /Proxy? If so, have you check any logs from F5 for errors, warnings, etc…?

F5 its a reverse proxy such as Nginx we use it to allow client to connect only through F5.

I looked into F5 logs no error or warnings.

These are some of the logs for Graylog server

2021-06-06T11:38:07.578+03:00 INFO  [ServerBootstrap] Graylog server up and running.
2021-06-06T11:38:07.580+03:00 INFO  [InputStateListener] Input [Syslog UDP/60b5ef312f5ce35c08a03170] is now STARTING
2021-06-06T11:38:07.656+03:00 INFO  [InputStateListener] Input [Syslog UDP/60b5ef312f5ce35c08a03170] is now RUNNING
2021-06-06T11:38:07.658+03:00 WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=F5 BIG-IP, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=a5c7c821-4edc-49ff-b710-a5eff57b8235} (channel [id: 0xcf221cc4, L:/0:0:0:0:0:0:0:0%0:5140]) should be 262144 but is 425984.
2021-06-06T11:38:07.658+03:00 WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=F5 BIG-IP, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=a5c7c821-4edc-49ff-b710-a5eff57b8235} (channel [id: 0xd1ab8125, L:/0:0:0:0:0:0:0:0%0:5140]) should be 262144 but is 425984.
2021-06-06T11:38:07.658+03:00 WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=F5 BIG-IP, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=a5c7c821-4edc-49ff-b710-a5eff57b8235} (channel [id: 0xd1ca418e, L:/0:0:0:0:0:0:0:0%0:5140]) should be 262144 but is 425984.
2021-06-06T11:38:07.658+03:00 WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=F5 BIG-IP, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=a5c7c821-4edc-49ff-b710-a5eff57b8235} (channel [id: 0x5190e8b5, L:/0:0:0:0:0:0:0:0%0:5140]) should be 262144 but is 425984.

Did you look at any of the examples here Web interface — Graylog 4.0.0 documentation? There are some very specific attributes required when configuring load balancing. I’d recommend sharing what your F5 config looks like so that folks can better assist.

1 Like