High Speed Logging - Not working quite as expected (Specific to ArcSight)
I'm wondering if anyone can offer any advice on how this should be working and whether I'm getting the wrong understanding of this.
To be clear, it is not the iRule HSL implementations but simply the built in /sys log-config filters/publishers/destinations.
My Requirements
- I require logs to continue to be available on the Big-IP, as though we've not configured any differences to logging.
- I also want to log everything (debug from all sources) out to our chosen SIEM product ArcSight.
- I'm using Big-IP 11.6.0 HF3 (ENG)
- Resources provisioned: APM
- Not requiring additional logging such as request logging.
- https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-6-0/22.html?sr=43624187
- Configured a pool named SIEM-ArcSight-Logging which contains the ArcSight Server, port 514.
- Configured a destination SIEM-Dest-HSL, type Remote High Speed Logging (unformatted), forwards to SIEM-ArcSight-Logging pool, type UDP
- Configured a destination SIEM-Dest-ArcSight, type ArcSight (formatted), forwards to SIEM-Dest-HSL
-
Configured a publisher SIEM-Pub-Default, destinations:
- SIEM-Dest-ArcSight
- SIEM-Dest-HSL
- alertd
- Configured a filter SIEM-Filter, severity Debug, source all, Publisher SIEM-Pub-Default
My gut feeling says I may have set the publisher up wrong, so I have tried each of their entries just on their own. alertd, SIEM-Dest-HSL seem to work fine (I see syslog traffic leaving for the HSL) but ArcSight does not. Documentation seems somewhat unclear as to what destinations are required, i.e. do I just need to add ArcSight and let it forward itself to HSL or do I need both. Also, should I be configuring multiple filters to cover debug/all or am I correct to have just the one 'catch all'.
**I have additionally seen a warning on one presentation I bumped into whilst Googling away which said "Warning, dangerous defaults 'debug/all'" but I couldn't find an explanation of why these are dangerous, so I proceeded with caution and tried upping the severity but it made no difference.
Any and all feedback/advice/other would be incredibly welcomed.
Many thanks,
JD.