Ayyway to have entries written to /var/log/ltm to a external syslog server?

Question

Hi,&nbsp;
&nbsp;Our company has made the decision to move our various web sites into the cloud. Our cloud provider has given us a partition on some form of BigIP running ver 11. Even though we have "manager" access to our paritition we cannot access the ltm log files either via the GUI interface or via shell, in fact we have no ssh access either.  Normally on our pair of LTMs I would have a tail running on /var/log/ltm to help in debugging iRules, esp any TCL related errors.  The only suggestion the cloud provider had was to tell us to setup a syslog server and redirect the ltm logs to the syslog server. Well I have setup a syslog server but when I asked for help in having the ltm logs for our paritition I redirected, there has been complete silence. So I thought I would ask here.&nbsp;
&nbsp;I have looked on the wiki and there are quite a few topics on have log entried written to a external syslog server, and I have done some simple log statements to do this, but this is not quite what I need because I would like to see TCL errors as well and I can't see any way to log these. So I guess if it can be done it's now from an iRule, or it can't be done. So is it possible?&nbsp;
tia&nbsp;
&nbsp;Craig&nbsp;&nbsp;

hooleylist · Answer

Hi Craig, 
&nbsp;  
&nbsp; You can log directly from an iRule using HSL::open or log remote.  However, that won't capture runtime errors with iRules as those aren't generated from the iRule itself-but TMM.  You could testing this to confirm.  But I think you'll need to configure syslog-ng to log /var/log/ltm entries to your remote syslog server.  You can check these articles for details: 
&nbsp;  
&nbsp; HSL (10.1+) 
&nbsp; https://devcentral.f5.com/wiki/iRules.hsl__open.ashx 
&nbsp;  
&nbsp; log remote 
&nbsp; https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/190/iRules-Update-New-options-for-the-log-command.aspx 
&nbsp;  
&nbsp; You can also search on AskF5 for "remote syslog" for LTM to get instructions on how to configure syslog-ng for remote logging. 
&nbsp;  
&nbsp; Aaron

nitass · Answer

this is my testing. &nbsp; &nbsp; LTM 9.4.2+: Custom Syslog Configuration by Deb &nbsp;https://devcentral.f5.com/s/articles/LTM-9-4-2-Custom-Syslog-Configuration &nbsp; [root@ve10:Active] config  b syslog include
SYSLOG - Include Data: none
&nbsp;
[root@ve10:Active] config  b syslog include '"
&gt; destination remote_server {
&gt;   udp(\"192.168.206.55\" port (514));
&gt; };
&gt; filter f_rule {
&gt;   match(\"_rule\");
&gt; };
&gt; log {
&gt;   source(s_syslog_pipe);
&gt;   filter(f_local0);
&gt;   filter(f_rule);
&gt;   destination(remote_server);
&gt; };"'
[root@ve10:Active] config  b syslog include
SYSLOG - Include Data:
destination remote_server {
  udp("192.168.206.55" port (514));
};
filter f_rule {
  match("_rule");
};
log {
  source(s_syslog_pipe);
  filter(f_local0);
  filter(f_rule);
  destination(remote_server);
};
&nbsp;
[root@ve10:Active] config  b rule test_rule list
rule test_rule {
   when CLIENT_ACCEPTED {
   set test "HTTP::uri"
   eval $test
}
&nbsp;
/var/log/ltm
&nbsp;
Jul  4 12:43:03 local/tmm err tmm[5111]: 01220001:3: TCL error: test_rule  - Operation not supported (line 2)     invoked from within "HTTP::uri"     ("eval" body line 1)     invoked from within "eval $test"
&nbsp;
syslog
&nbsp;
C:\&gt;nc -l -u -p 514
&lt;131&gt;Jul  4 12:43:03 local/tmm err tmm[5111]: 01220001:3: TCL error: test_rule  - Operation not supported (line 2)     invoked from within "HTTP::uri"     ("eval" body line 1)     invoked from within "eval $test"

craigm_17826 · Answer

Thanks for the quick replies. One more question, if I get this going, will only entries relating to our partition be captured or will I see entries from all partitions on this LTM? At the moment there is only one other company. It was explained to me that the reason why they wouldn't give me LOG access was because I would see log entries from other users in different partitions.  So is there a way I can filter out entries only relating to our paritiion to keep them happy?&nbsp;
&nbsp;tia&nbsp;
&nbsp;Craig&nbsp;&nbsp;

nitass · Answer

in my example, i filter log by using part of irule name i.e. "_rule". i am not sure if partition name is included in log. if yes, we use partition name to filter log.

craigm_17826 · Answer

Hi Nitass and Hoolio,&nbsp;
&nbsp;thanks for your comments/suggestions. I'm working with our cloud provider now on this. &nbsp;&nbsp;
Craig&nbsp;&nbsp;

Forum Discussion

Ayyway to have entries written to /var/log/ltm to a external syslog server?

Recent Discussions

MAC address of deleted VS IP address still responsive

Different common name ssl acces 403 forbiddent

dynamic signature detection

DNS HM Probe issue

F5 looses the token for the first call

Related Content

How to Enalbe Checkcert utility push log to var/log/ltm

Send /var/log/ltm on syslog destination without AUDIT logs

CSV to Address External Datagroup File

Modifying multiple entries in a datagroup via api?

External Monitor Information and Templates

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS