For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jforaker's avatar
jforaker
Icon for Nimbostratus rankNimbostratus
Oct 15, 2012

Can HSL be used to replace remote syslog v11.x

This is for a v11.2.0 LTM/APM box.

 

I have an HSL logging iRule on a test box that work great for HTTP request/response. I also have remote logging setup to a remote syslog server as well as 'Write To APM Log File' enabled with the level set to 'informational' so we can log the session variables.

 

Here is the config:

 

[root@device:Active] log tmsh list /sys syslog

 

sys syslog {

 

remote-servers {

 

remotesyslog1 {

 

host 10.1.1.1

 

remote-port 514

 

}

 

}

 

}

 

[root@device:Active] log tmsh list /sys db "log.access.syslog"

 

sys db log.access.syslog {

 

value "enable"

 

}

 

[root@device:Active] log tmsh list /sys db "log.accesscontrol.level"

 

sys db log.accesscontrol.level {

 

value "Informational"

 

}

 

[root@device:Active] log

 

 

As detailed in the release notes of 11.2 and in SOL11124 this type of logging can potentially cause issues:

 

"When running performance tests or under very high traffic loads, the /var/log/apm log file can grow to a very large size. Under these conditions, it is advised to disable logging to /var/log/apm/."

 

 

This is where I am hoping that a HSL iRule could be used to replace everything that is logged to /var/log/apm. Therefore we could still log the same data to a remote server without the possiblity of an impact to the production box.

 

I started to craft an iRule but I cannot see to get everything that is listed in /var/log/apm. Any one else have success in this type of iRule or is there an easy way to have /var/log/apm logged via HSL?

 

application delivery
dev
devops
iRules

4 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Oct 15, 2012
    Hi Jeff,

     

     

    You might be able to modify the access policy to trigger an iRule event on major changes in the state of the user's session and call HSL from there. But really, what you want/we should ideally provide is HSL logging directly from APM without an iRule. I encourage you to open a case with F5 Support to see if this type of request for enhancement has already been made. If so, you can add your case to it. If not, you can request to have one created.

     

     

    Aaron
  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Oct 15, 2012

    One idea, to be tested, is to configure syslog-ng to not log to the file system at all, and use a remote server that is a virtual server and on which an iRule would be written to use HSL to log everything it receives.

     

  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Oct 16, 2012
    Forget what I said.

     

     

    If you are logging a copy of all messages to remote syslog server, and the problem is excessive disk write from apm logs, the solution is to configure syslog-ng to not log those messages to disk.

     

     

    I am assuming the apm log file is generated by syslog-ng.

     

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Oct 16, 2012
    I think the issue is that you might not be able to use an iRule to generate every log message that APM can log (through syslog-ng) to the filesystem. So I don't think you can fully replace the default APM logging with an HSL iRule.

     

     

    Direct logging via HSL for APM would make a great request for enhancement.

     

     

    Aaron