Need to identify a way to send logs from BIG-IQ to Splunk so we can see failures when BIG-IQ is trying to send signature updates to the DMZ F5’s running AWAF.

First, setting up logging was pretty easy to do

System Tab – Audit Log Syslog Servers

Enter NAME and IP address of syslog servers and TCP 514.

NOTE: I tried the newer rfc5424 and got nothing in Splunk so have to leave the old school rfc3164

Next, Found some interesting articles

https://techdocs.f5.com/kb/en-us/products/big-iq-centralized-mgmt/manuals/product/bigiq-central-mgmt-security-5-4-0/22.html