Forum Discussion
NimbostratusBest practices for syslog
Dev,
I'm trying to figure out what we should be logging and how to adjust the logging for our syslog server. Has anyone seen a performance hit from the logging? I'd also like some insight into the HSL, but I need to get basic logging working to begin with before I go down that road. I've found the logging documentation for V11.2 to be kinda sparse, so I'm turning to Dev for some insight on what you guys are logging, how I can make the correct choices on what to log, etc. I've got syslog set up and it's logging somewhat correctly, however I'm seeing a lot of messages coming from Cron:
Oct 3 00:25:01 boydf5 debug crond[14048]: pam_unix(crond:session): session opened for user root by (uid=0)
Oct 3 00:25:01 boydf5 info crond[14049]: (root) CMD (/usr/lib/sa/sa1)
Oct 3 00:25:01 boydf5 debug crond[14048]: pam_unix(crond:session): session closed for user root
Oct 3 00:26:01 boydf5 debug crond[14050]: pam_unix(crond:session): session opened for user syscheck by (uid=0)
and I'm not really sure how to stop them. These logs are roughly 90% of what's being logged, and I don't see a need for them to be logged anywhere. I'm also seeing my machine requesting and receiving the SSL cert from the F5, and that's not really that important to me. I'm more concerned with tracking a security incident and making sure I've done my own CYA so there can't be any blame on me for not having the info I need. I've tweaked everything to the level I think it should be at, unless I'm looking at it incorrectly. I'm pasting in my syslog config to verify the settings are correct, and see if anyone has any suggestions. Thanks for the help!
sys syslog {
auth-priv-from notice
auth-priv-to emerg
console-log disabled
cron-from err
cron-to err
daemon-from notice
daemon-to emerg
description Boyd-F5-01
include none
iso-date disabled
kern-from notice
kern-to emerg
local6-from notice
local6-to emerg
mail-from notice
mail-to emerg
messages-from notice
messages-to warning
remote-servers {
remotesyslog1 {
description none
host XXX.XXX.XXX.XXX
local-ip XXX.XXX.XXX.XXX
remote-port XXX
}
}
user-log-from emerg
user-log-to emerg
}
- nitass
Employee
have you seen this one? i understand you have to use syslog include to filter message to remote syslog server.
LTM 9.4.2+: Custom Syslog Configuration by Deb
https://devcentral.f5.com/s/articles/LTM-9-4-2-Custom-Syslog-Configuration
sol11723: Filtering log messages sent to remote syslog servers (9.4.x - 10.x)
http://support.f5.com/kb/en-us/solutions/public/11000/700/sol11723.html
wixxyl_98682Very good resources, thank you very much. I'm not really a Linux guy, so the underlying interface is taking some getting used to. Any insight in to where those specific messages are being logged from, I've checked against the documentation and compared it with my own config, but I just don't know if I'm missing something. Do I need to restart the syslog function? I've not spent much time dealing with syslog(pretty obvious) so I want to get it right.- nitassOct 3 00:25:01 boydf5 debug crond[14048]: pam_unix(crond:session): session opened for user root by (uid=0)
Oct 3 00:25:01 boydf5 info crond[14049]: (root) CMD (/usr/lib/sa/sa1)
Oct 3 00:25:01 boydf5 debug crond[14048]: pam_unix(crond:session): session closed for user root
Oct 3 00:26:01 boydf5 debug crond[14050]: pam_unix(crond:session): session opened for user syscheck by (uid=0)those messages are from remotesyslog1 configuration (in case of gui, it is system > configuration > remote logging).
sorry i just noticed you are running 11.x.
The default syslog levels defined for the BIG-IP system logs apply to only local logs; the syslog levels do not apply to remote syslog servers that were defined using the tmsh modify /sys syslog remote-servers command.sol13333: Filtering log messages sent to remote syslog servers (11.x)
http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13333.html - wixxyl_98682Okay, so I've tested in my virtual environment and that link you gave me has it spot on. It was logging every time the system ran the scheduled job to poll for syslog, and created a log. The fact that the local logging levels aren't carried over to remote logging is strange to me, but, I guess it makes sense to somebody. :) I did pretty much what the filter was in the link and it seems to be working right. so now when I do "tmsh list sys syslog all-properties", I get:
modify syslog {
auth-priv-from notice
auth-priv-to emerg
cron-from warning
cron-to emerg
daemon-from notice
daemon-to emerg
description none
include "
filter f_remote_loghost {
level(warn..emerg);
};
destination d_remote_loghost {
udp(\"xx.xx.xx.xx\" port(514));
};
log {
source(s_syslog_pipe);
filter(f_remote_loghost);
destination(d_remote_loghost);
};
"
iso-date disabled
kern-from notice
kern-to emerg
mail-from notice
mail-to emerg
messages-from notice
messages-to warning
remote-servers none
user-log-from notice
user-log-to emerg
}
without all of the unnecessary things coming through. Thanks very much for the help Nitass you are the best!!
