Applies To:

Show Versions Show Versions

Manual Chapter: Encrypting Remotely-stored Log Messages
Manual Chapter
Table of Contents   |   << Previous Chapter

You can configure the syslog-ng utility on the BIG-IP system to send BIG-IP system log information to a remote logging host, using an encrypted network connection. To do this, you create a port-forwarding SSH tunnel to the remote logging host, and configure the syslog-ng utility on the BIG-IP system to send log messages through the SSH tunnel.
Before you attempt to configure encrypted remote logging, you must meet the following conditions on the BIG-IP system and your remote logging host:
On the BIG-IP system
You must have a console with root access to the BIG-IP system.
On the remote logging host
You must have a console with root access to the remote logging host, the IP address, or the host name of the remote logging host.
For both systems
You must have both systems connected to the same subnetwork.
Warning: Attempt this configuration only if you understand the risks associated with making changes to daemon startup scripts.
Edit the syslog-ng utility startup script to create and destroy the SSH tunnels.
This configuration requires that the BIG-IP system is able to establish an SSH connection to the remote logging host. On the BIG-IP system, use the ssh command to create the tunnel. Figure A.1 is an example of the syntax required to create an SSH tunnel.
Table A.1 contains detailed descriptions of the ssh syntax elements shown in Figure A.1.
The port SSH listens on for connections in order to forward them to <remote log hostname>:<remote tunnel port>.
<remote log hostname>
The port to which you want the SSH daemon on the remote logging server to forward connections.
The user name that SSH attempts to authenticate, as on <remote log hostname>.
After you have reviewed the ssh command syntax, use the ssh command to create the encrypted tunnel on the BIG-IP system. You must create a unique key on the BIG-IP system. The unique key is used to identify and authorize the BIG-IP system to the remote logging host.
To create the file syslog_tunnel_ID and syslog_tunnel_ID.pub, use the following command sequence:
To make syslog_tunnel_ID readable only by the root account, use the following command sequence:
To make the public portion of the unique SSH ID named syslog_tunnel_ID.pub readable by all accounts, use the following command sequence:
Copy syslog_tunnel_ID and syslog_tunnel_ID.pub into /var/ssh with the following command:
Next, you must change the syslog-ng utility startup script, /etc/init.d/syslog-ng, so that the encrypted tunnel is opened when the syslog-ng script starts up, and is closed when the script is restarted or stopped.
Before you edit the syslog-ng utility startup script, save a backup copy to the root directory. Use the following command to save the backup to the root directory:
After you save a backup of the syslog-ng utility startup script, /etc/init.d/syslog-ng, edit it to automatically create SSH tunnels when the syslog-ng utility is started, or close the SSH tunnels when the syslog-ng utility is restarted or stopped.
The example configuration in this document demonstrates how to create a tunnel to a host using the following IP addresses and ports:
IP address of 10.0.0.100
User name logger on host 10.0.0.100
Start by adding syntax below the line that reads start). Figure A.2 is an example of what the section of the syslog-ng start script looks like after you add the new syntax. In this example, the syntax you need to add is shown with bold text.
ssh -L 5140:10.0.0.100:5140 \
Next, add syntax below the line that reads stop). Figure A.3 shows the syntax you need to add in bold text.
for sshTunnel in \
After you add the syntax to open and close SSH tunnels, you can modify the configuration of the syslog-ng utility to log messages to a remote syslog-ng server. To do this, you can use either the BIG-IP Configuration utility or the tmsh command line interface.
1.
From the Main tab, expand System, and click Logs.
2.
From the Configuration menu, choose Remote Logging.
The Remote Logging screen appears.
3.
In the Remote IP box, type the IP address of the remote logging server.
4.
In the Remote Port box, retain the default port number or type a different port number.
5.
In the Local IP box, type the IP address of the local BIG-IP system that is sending the log messages.
This step is optional.
6.
Click Add.
7.
Repeat steps 3 through 6 for each remote logging server to which you want the BIG-IP system to send log messages.
8.
Click Update.
modify sys syslog remote-servers add{ remotesyslog1 { host <host> remote-port <port> local-ip <local-ip> } }
Note: The syslog-ng daemon on the local BIG-IP system automatically restarts whenever you update the remote server configuration. This restart occurs whether you perform the update through the Configuration utility or tmsh.
After you have used the syslog command to set up the remote logging host to log messages, you must copy the unique SSH identity to the remote logging host. To do this, copy the syslog_tunnel_ID.pub identity to the remote syslog server, and append this key to the authorized_keys file found in the .ssh folder under the home directory of the user that you want to use to capture remote log messages.
Verify that the logging facility is configured and ready to receive syslog-ng messages on the <remote tunnel port>. If the remote logging host uses the syslog-ng utility, you need to add a source configuration block such as the example shown in Figure A.4.
In addition to the source identification block, you also need to add filter, destination, and log configuration blocks to use the data from the source remote as required by your application.
1.
Log on as root to the BIG-IP system.
If everything is configured correctly, you should be able to get shell access to the remote logging host without being challenged for a password. (When you add the new identity key to the remote host's authorized_keys file, the key is used to authenticate the BIG-IP system.)
4.
Restart the syslog-ng utility by typing the following command:
The BIG-IP system log messages contain codes that provide information about the system. You can run the Linux zcat command at the system prompt to expand the codes in log messages to provide more information. In Figure A.5, the bold text is the expansion of the log code 012c0012.
Jun 14 14:28:03 sccp bcm56xxd [ 226 ] : 012c0012 : (Product=BIGIP Subset=BCM565XXD) : 6: 4.1 rx [ OK 171009 Bad 0 ] tx [ OK 171014 Bad 0 ]
At the BIG-IP system prompt, type the Linux zcat command, using this syntax:
You can view log files for a specific range of dates. To do this, you use the show log command within the sys module of the Traffic Management shell (tmsh). For more information, see the Traffic Management Shell (tmsh) Reference Guide.
You can view the command audit log by date range, using the Traffic Management shell (tmsh). For more information, see the Traffic Management Shell (tmsh) Reference Guide.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)