Forum Discussion
Wouter_de_Bruin
Nimbostratus
NimbostratusCan I change default syslog facilities? (9.4.3)
Hello,
is there a way to change the default syslog facilities?
We have an external syslog server (Not managed by us, of course;-) which only forwards facilty 7 messages to the log files we are authorised to use. Yes, I know, it should be different, but its not a perfect world :-(
I know exactly which log events I'd like to forward to this server, but they have different facilities. I would like to change the facility of these messages to 7 before they are sent to the external server.
I had a look at "b syslog" but this doesn't seem to do the thing for me.
We are running LTM with 9.4.3
Any help appreciated.
Wouter de Bruin
14 Replies
- JRahm
Admin
Yes, syslog-ng can be setup to do this. Please reference this tech tip and post back if you have any questions.
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=155
Click here - nitass
Employee
could u pls try this? let us know if it doens't work.
Changing the Facility or Priority of a Syslog Message section
http://www.syslog.org/logged/pot-of-syslog-ng-tricks-version-3/ 
geffryti_32102Thanks Nitass.
I tried follow that but I get the below error...b syslog include '" local3.* /var/log/asm filter f_local3a { facility(local3); }; destination d_asmtest { file("/var/log/custom/asm_log_file" template("<190>$DATE $HOST $MSGHDR$MSG\n"; template_escape(no))); }; log { source(local); filter(f_local3a); destination(d_asmtest); }; "' BIGpipe parsing error: 012e0022:3: The requested value (/var/log/custom/asm_log_file") is invalid (show | ( | none)) for 'include' in 'syslog'
I felt that bigpipe had it's own way of parsing templates, so I reference an existing template field in the original syslog conf file... and this is what I got... it had to declare the template and then bind it with the destination file... I followed the format but didn't help though... I will try out other things, but if you have any idea where I'm wrong here, I would appreciate it.. tnx
note: this is one of our spare units... so the destination file changed a littleb syslog include '" local3.* /var/log/asm filter f_local3a { facility(local3); }; template t_asm { template("<190> $DATE $HOST $MSGHDR$MSG\n"); template_escape(no); }; destination d_asmtest { file("/var/log/lost+found/output/testasmlog" template(t_asm)); }; log { source(local); filter(f_local3a); destination(d_asmtest); }; "' BIGpipe parsing error: 012e0022:3: The requested value (<190> $DATE) is invalid (show | | none) for 'include' in 'syslog'- nitasscan u put backslash (\) in front ot double quote (")?
- geffryti_32102Yup, that fixed it. Below is the working config.
b syslog include '" local3.* /var/log/asm filter f_local3a { facility(local3); }; template t_asm { template(\"<190> $DATE $HOST $MSGHDR$MSG\n\"); template_escape(no); }; destination d_asmtest { file(\"/var/log/lost+found/output/testasmlog\" template(t_asm)); }; destination d_loghost5a { udp(\"10.2.2.2\" port (514)); }; log { source(local); filter(f_local3a); destination(d_asmtest); destination(d_loghost5a); }; "'
But below is the end result of the syslog... as you can see it actually wrote <190> instead of changing the facility. I'll play around with it and get back to you if I fix it...<190> Jun 14 06:51:51 blah blah blah blah blah - nitassthis is mine.
b syslog include '" filter f_local3a { facility(local3); }; template t_asm { template(\"<190> $DATE $HOST $MSGHDR$MSG\n\"); template_escape(no); }; destination d_loghost5a { udp(\"192.168.206.96\" port (514) template(t_asm)); }; log { source(local); filter(f_local3a); destination(d_loghost5a); }; "'
71 12:00:21.300602 0.000000 172.28.16.50 192.168.206.96 Syslog LOCAL7.INFO: Jun 14 20:55:18 tulip root: test\n - geffryti_32102Appreciate your help Nitass... it's working now... below is my working code....
Note: I removed the $DATE and $HOST entry since it's already part of the MSG header...b syslog include '" filter f_local3a { facility(local3); }; template t_asm { template(\"<190> $MSGHDR$MSG\n\"); template_escape(no); }; destination d_loghost5a { udp(\"2.2.2.2\" port (514) template(t_asm)); }; log { source(local); filter(f_local3a); destination(d_loghost5a); }; "' - nitassthanks for update and glad to hear it works now. :-)
- JRahmNice work, guys! I wrote up your solution:
http://devcentral.f5.com/weblogs/jason/archive/2011/06/20/changing-the-big-ip-default-syslog-ng-facilities.aspx Click Here - The equivalent tmsh syntax is modify sys syslog include "filter f_local3a { facility(local3); }; template t_asm { template(\"<190> $DATE $HOST $MSGHDR$MSG\\n\"); template_escape(no); }; destination d_loghost5a { udp(\"2.2.2.2\" port (514) template(t_asm)); }; log { source(local); filter(f_local3a); destination(d_loghost5a); }; " and if you want to log every message into one remote syslog facility I used this CLI modify sys syslog include "template t_asm { template(\"<190> $DATE $HOST $MSGHDR$MSG\\n\"); template_escape(no); }; destination d_loghost5a { udp(\"10.255.0.1\" port (514) template(t_asm)); }; log { source(local); destination(d_loghost5a); }; "
- Hem_66900
Cirrus
This command does not work fine.Please help.
