I am looking for information on whether F5 can forward syslog info to a SIEM such as arclight or Qradar.
I have heard that you can only send unencrypted traffic on port 80 but you cant forward anything encrypted. Is this true. Has anyone else ran into this issue.
F5 BIG-IP uses syslog-ng for it's basic logging so it will be reliant on mutual auth via TLS or or some stunnel method.
Per F5's documentation(bottom of page):
"If you want to ensure that the Syslog-ng messages being logged remotely are encrypted, you must first establish a secure tunnel."
This assumes you're only going to use vanilla syslog-ng included on the system.
F5 BIG-IP usually integrates into SIEMs with the High Speed Logging (HSL) which instead provides events including near-real time events like security attacks and other time-sensitive logging needs. BIG-IP includes security features and syslog was not appropriate for the event traffic.
F5 BIG-IP Hight Speed Logging does support secure remote logging.
Most major SIEM vendors will also include specific on how to integrate with F5 BIG-IP.
If you have any additional info, comment here and I can update my answer accordingly.
