Forum Discussion
wng_98840
Nimbostratus
Nimbostratusbigpipe include
Would the following code work in 9.4.8 and 10.2? I'm trying to monitor for specific logging I setup using an irule. I want to parse out those logs in a separate file. Also how do I go about removing this from the config if I don't need it anymore.
Thanks in advance,
Bill
********************************
bigpipe syslog include '"
filter f_local0 {
facility(local0) and not match(\": \");
};
filter f_local0_customlog {
facility(local0) and match(\": \");
};
destination d_ltm {
file("/var/log/ltm" create_dirs(yes));
};
destination d_customlog {
file(\"/var/log/customlog\" create_dirs(yes));
};
log {
source(local);
filter(f_local0_customlog);
destination(d_customlog);
};
log {
source(local);
filter(f_local0);
destination(d_ltm);
};
"'
nitassEmployee
you forgot black slash (\) on d_ltm configuration. others are okay.[root@ve1023:Active] config b version|grep -iA 1 version BIG-IP Version 10.2.3 112.0 Final Edition [root@ve1023:Active] config b syslog include SYSLOG - Include Data: none [root@ve1023:Active] config [root@ve1023:Active] config bigpipe syslog include '" > filter f_local0 { > facility(local0) and not match(\": \"); > }; > filter f_local0_customlog { > facility(local0) and match(\": \"); > }; > destination d_ltm { > file(\"/var/log/ltm\" create_dirs(yes)); > }; > destination d_customlog { > file(\"/var/log/customlog\" create_dirs(yes)); > }; > > log { > source(local); > filter(f_local0_customlog); > destination(d_customlog); > }; > > log { > source(local); > filter(f_local0); > destination(d_ltm); > }; > > "' [root@ve1023:Active] config [root@ve1023:Active] config b syslog include SYSLOG - Include Data: filter f_local0 { facility(local0) and not match(": "); }; filter f_local0_customlog { facility(local0) and match(": "); }; destination d_ltm { file("/var/log/ltm" create_dirs(yes)); }; destination d_customlog { file("/var/log/customlog" create_dirs(yes)); }; log { source(local); filter(f_local0_customlog); destination(d_customlog); }; log { source(local); filter(f_local0); destination(d_ltm); }; [root@ve1023:Active] config [root@ve1023:Active] config b syslog include none [root@ve1023:Active] config b syslog include SYSLOG - Include Data: none
wng_98840Thanks for the verification. I made some changes to the code to log to a remote log server. I enabled the irule, but don't see anything being written to the remote syslog server. Any ideas?
bigpipe syslog include '"
destination log_server {
udp(\"x.x.x.x\" port (514));
};
filter f_local0 {
facility(local0) and not match(\": \");
};
filter f_local0_sessionlog {
facility(local0) and match(\": \");
};
destination d_ltm {
file(\"/var/log/ltm\" create_dirs(yes));
};
log {
source(local);
filter(f_local0_sessionlog);
destination(log_server);
};
log {
source(local);
filter(f_local0);
destination(d_ltm);
};
"'- nitassthe filter is correct, isn't it?
if so, have you tried tcpdump on bigip?
e.g.
tcpdump -nni 0.0 udp port 514
tcpdump -nni eth0 udp port 514
the first tcpdump is on tmm interface. the second one is on mgmt interface. - wng_98840The filters look correct. I used the following below on one of our F5s running v9.3 and it works fine. Wondering if I can use that in 9.4.8 and 10.2.
*********************
filter f_local0_sessionlog {
match(": ");
};
*********************
I ran 'tcpdump -s0 -nni eth0 udp port 514' and didn't see any traffic when the irule was enabled. I will also test the filter again by writing to the local file. - wng_98840all was working. didn't realize 514 was going out a different interface. thanks for the help!