QRadar: Multiple F5 Networks BIG-IP Local Traffic Manager (LTM) 10.x appliances show under the same log source

Troubleshooting

Problem

When multiple F5 Networks BIG-IP Local Traffic Manager (LTM) appliances at v10.x send event data to QRadar, the events all display under the same log source.

Cause

This issue is due to the Syslog output format of the F5 Networks BIG-IP LTM v10.x appliance, which includes the use of local/ before the host name in the Syslog header. The F5 Networks BIG-LTM system administrator must either the Syslog template (syslog.tmpl) file or provide a custom Syslog include statement to verify that the format being output does not contain local/ before the hostname.

Note: QRadar support representatives cannot assist with this change or advise F5 Network BIG-LTM administrators changes. If you are unfamiliar with how to update your F5 Networks BIG-IP LTM appliance, you can contact F5 Networks Support.

Resolving The Problem

A workaround is available to correct the syslog header issue. For the most up to date information please contact F5 Networks support. This issue is referenced on F5 Networks website on the following link:

https://devcentral.f5.com/questions/qradar-setup-issue

-----
Where do you find more information?

Related Information

See the DSM Configuration Guide for more information on

https://devcentral.f5.com/questions/qradar-setup-issue

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - IBM","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.0;7.2","Edition":"Enterprise","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

QRadar: Multiple F5 Networks BIG-IP Local Traffic Manager (LTM) 10.x appliances show under the same log source

Troubleshooting

Problem

Cause

Resolving The Problem

Related Information

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?