IBM Support

QRadar: Multiple F5 Networks BIG-IP Local Traffic Manager (LTM) 10.x appliances show under the same log source



When multiple F5 Networks BIG-IP Local Traffic Manager (LTM) appliances at v10.x send event data to QRadar, the events all display under the same log source.


This issue is due to the Syslog output format of the F5 Networks BIG-IP LTM v10.x appliance, which includes the use of local/ before the host name in the Syslog header. The F5 Networks BIG-LTM system administrator must either the Syslog template (syslog.tmpl) file or provide a custom Syslog include statement to verify that the format being output does not contain local/ before the hostname.

Note: QRadar support representatives cannot assist with this change or advise F5 Network BIG-LTM administrators changes. If you are unfamiliar with how to update your F5 Networks BIG-IP LTM appliance, you can contact F5 Networks Support.

Resolving The Problem

A workaround is available to correct the syslog header issue. For the most up to date information please contact F5 Networks support. This issue is referenced on F5 Networks website on the following link:

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Integrations - IBM","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.0;7.2","Edition":"Enterprise","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018