Forum Discussion
TimRiker
Cirrocumulus
CirrocumulusBIG-IP syslog include
BIG-IP remote syslog with short names, iso dates, and milli/microseconds
It looks like syslog-ng is broken on a number of BIG-IP releases. Using use_fqdn(no) still gets fqdns in the logs. This looks to have been broken here:
https://cdn.f5.com/product/bugtracker/ID998649.html
Our work around is to add a rewrite filter that removes the domain name. Login, run tmsh, command "edit sys syslog" and enter the below. You probably want to clear any remote syslog setup in the UI first.
sys syslog {
include "
# short hostnames
options {
frac_digits(6);
keep_hostname(no);
use_fqdn(no);
};
# F5 use-fqdn is broken in
# https://cdn.f5.com/product/bugtracker/ID998649.html
# so replace '\\.*' with ''
rewrite r_domain {
subst(\"\\\\..*\", \"\", value(\"HOST\"));
};
# Remote syslog in RFC5424 - Tim Riker <Tim@Rikers.org>
destination d_remote_loghost {
# put your syslog IP here in place of the 0.0.0.0
syslog(0.0.0.0 port(514));
};
log {
source(s_syslog_pipe);
rewrite(r_domain);
destination(d_remote_loghost);
};
"
}
Note: this output does NOT appear to be RFC5424 compliant. For example system output includes a priority field following the hostname, where rfc5424 does not include that in it's spec.
We have validated this on Version 17.x and are working on other versions as well. Here is the link to the article.
Using use_fqdn(no) in syslog configuration still includes the hostname/FQDN in the logs. (f5.com)
- Jmtaylor
Moderator
We have validated this on Version 17.x and are working on other versions as well. Here is the link to the article.
Using use_fqdn(no) in syslog configuration still includes the hostname/FQDN in the logs. (f5.com) - TimRiker
I'm happy to have this exposed as "Solution". Perhaps with a shorter title.😀I edited the original.
I updated it with frac_digits(6); to get microseconds as the logger seems to support that.
Output from F5s does NOT appear to be RFC5424 compliant with this change. For example, I see an ascii level indicator which rfc5424 does not include. I'm looking into further validation.
The F5s should really have built in support to log in rfc5424 with short names, timezone and milli/microsecond information. Supporting only fqdn and only rfc3164 is pretty lame in this day and age.
There are a few F5 KB articles that recommend adding udp() to syslog include. udp() has been deprecated for a long time now. Any KB references that include that should be updated.
BIG-IP 15.1.10.3 includes syslog-ng 3.8.1 which no longer has reliable online documentation that I can find. If F5 is going to continue to ship this old version, they should at least post the documentation online. syslog-ng 3.8.1 shipped on Aug 19, 2016:
https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.8.1
- LiefZimmerman
Admin
Unfortunately, for now, I can't see to mark multiple items as Solution.
When I can I will do so for this comment as well.Thanks again Tim - very helpful.
- LiefZimmerman
TimRiker - A) this is amazing.
B) I've asked our support-based moderators to take a look and see if we might cross-link your workaround into other places through support.
C) If you agree - I think it would be right to push this into the codeshare node as a "Solution" to the problem.I can take care of that for you if you like.
Lief - LiefZimmerman
TimRiker - given that Jmtaylor was able to push this over into an actual Knowledge article (officially F5 supported) solution I'm less concerned with where it lives in DevCentral now. As long as it's discoverable.
I will mark a comment as the solution so that it gets that deserved lift as well.Thanks JMTaylor and HUGE thanks to you Tim for sharing this with the F5 Community.
