Artboard 3.jpg

Open up your SYSLOG

Whilst working with one of our observability customers, the question of SYSLOG came up in a last minute question on our weekly call. The network team representative was wondering if we could help develop a script to pull SYSLOG messages from their aging ITIM tool (IT Infrastructure Monitoring) and push to a security solution.

It turned out that they were running several F5 load balancers and the appliances could only send to a single destination (1 to 1). Monitoring was more important from the ITIM point of view, but the security team raised a risk because they were kept in the dark.

Writing a script was easy, the logs rolled over daily and the sizes were between 0.5 - 1.0 GB per active appliance. We could logon to each of the devices at 00:05 and copy the previous day files to a central file share and push to an API on the security side. But, its not the 90's, and there are smarter ways to crack this egg without scripting a thing.

As a partner, we knew that we could do much more with syslog and that it was very easy to hook up. So, we proceeded to draw a simple diagram on screen to explain what we could actually do by introducing the solution as the middle man. See below.

On the left is the current setup, a 1:1 relationship between each F5 Appliance and their monitoring solution. A dead end for syslog, only the network team get to see it.

On the right is the approach we suggested and actually started to deploy on the same day (quick request for an eval copy). Here is how it works, the F5 keeps sending its syslog to a single destination, however this destination was able to do a lot more than just store. ingests and stores, but then can decide to shine light on the data by forwarding to the security teams solution (Splunk).


We continued to explain the other benefits:

Real Time Visualization - as logs arrive they are converted to metrics Real Time Alerting - adding thresholds means you can inform support teams

Infinite Retention - there are no limits to what you can store

Replay - any log lines/days/weeks to any destination (Network, Security, Application tools)

Nothing is lost - the current logs from the existing ITIM tool can be ingested so no loss of history.

All F5's are now connected to The security team got the data they needed. The Network team informed us, that with the added monitoring and alerting features, they didn't need to keep the old tool anyway. Its now switched off. from the last couple of weeks.

If you want to speak to us about Syslog,, decommissioning old ITIM tools, Observability (but not scripting) - shoot us an email,