Forum Discussion
NimbostratusConfigure Syslog-ng to Only Show Logins & Log Outs
I'm running ver 11.5 & need to set syslog messages to only send authentication messages to my syslog server. Right now its sending everything & I don't have the storage to keep up. I'm only interested seeing logins & logouts so I know who & when someone is logging into my F5.
I tried using "no" and "delete" in front of things I care not to have logged but that doesn't work in Linux. Any help is appreciated. Here is my current config below.
root@(MTLF5DEV01)(cfg-sync Standalone)(Active)(/Common)(tmos) list /sys syslog all-properties sys syslog { auth-priv-from notice auth-priv-to emerg console-log enabled cron-from warning cron-to emerg daemon-from notice daemon-to emerg description none include none iso-date disabled kern-from debug kern-to emerg local6-from notice local6-to emerg mail-from notice mail-to emerg messages-from notice messages-to warning remote-servers { remotesyslog1 { description none host 192.168.152.36 local-ip none remote-port 514 } } user-log-from notice user-log-to emerg
nitass_89166Noctilucent
can you try this one?
K13333: Filtering log messages sent to remote syslog servers (11.x - 13.x)
https://support.f5.com/csp/article/K13333
mario365_345588The link doesn't work
- mario365_345588
I did see the article I'm sorry. I was able to access vi through edit option like the article displays but I'm unsure if erasing all facilities except " aauth-priv-from notice" & "auth-priv-to emerg" then saving will cause only logins to be sent to the syslog server. Could you please advise?
- nitass
Employee
can you try this one?
K13333: Filtering log messages sent to remote syslog servers (11.x - 13.x)
https://support.f5.com/csp/article/K13333- mario365_345588
The link doesn't work
- mario365_345588
I did see the article I'm sorry. I was able to access vi through edit option like the article displays but I'm unsure if erasing all facilities except " aauth-priv-from notice" & "auth-priv-to emerg" then saving will cause only logins to be sent to the syslog server. Could you please advise?
- nitass
e.g.
1) check to see if there is existing filter in syslog-ng.conf that we can use.
[root@ve13a:Active:In Sync] config awk '/ authpriv/,/^$/' /etc/syslog-ng/syslog-ng.conf authpriv.* /var/log/secure filter f_authpriv { (facility(auth, authpriv) and level(notice..emerg)) or program(sshd) or (facility(auth,authpriv) and (program(httpd) or program(tamd))) or message("pam_audit") ; };2) craft syslog include configuration
sys syslog { include " destination d_loghost { udp("200.200.200.101" port(514)); }; log { source(s_syslog_pipe); filter(f_authpriv); destination(d_loghost); }; " }3) merge the syslog include configuration into running configuration
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog sys syslog { } root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) load sys config from-terminal merge Enter configuration. Press CTRL-D to submit or CTRL-C to cancel. sys syslog { include " destination d_loghost { udp("200.200.200.101" port(514)); }; log { source(s_syslog_pipe); filter(f_authpriv); destination(d_loghost); }; " } Loading configuration... root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog sys syslog { include " destination d_loghost { udp(200.200.200.101 port(514)); }; log { source(s_syslog_pipe); filter(f_authpriv); destination(d_loghost); }; " }4) verify if only log we want is sent to remote syslog
// tcpdump *please be noted that interface 0.0 is used here because remote syslog is connected via tmm interface (not mgmt interface) [root@ve13a:Active:In Sync] config tcpdump -nni 0.0 -s0 host 200.200.200.101 and port 514 -X tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 10:49:22.969608 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG authpriv.info, length: 209 out slot1/tmm0 lis= 0x0000: 4500 00ed e223 4000 4011 35da c8c8 c80b E....@.@.5..... 0x0010: c8c8 c865 96e4 0202 00d9 22ed 3c38 363e ...e......".<86> 0x0020: 4a61 6e20 2036 2031 303a 3439 3a32 3220 Jan..6.10:49:22. 0x0030: 7665 3133 6120 696e 666f 2073 7368 6428 ve13a.info.sshd( 0x0040: 7061 6d5f 6175 6469 7429 5b36 3135 335d pam_audit)[6153] 0x0050: 3a20 7573 6572 3d72 6f6f 7428 726f 6f74 :.user=root(root 0x0060: 2920 7061 7274 6974 696f 6e3d 5b41 6c6c ).partition=[All 0x0070: 5d20 6c65 7665 6c3d 4164 6d69 6e69 7374 ].level=Administ 0x0080: 7261 746f 7220 7474 793d 7373 6820 686f rator.tty=ssh.ho 0x0090: 7374 3d31 3732 2e31 362e 3230 342e 3333 st=172.16.204.33 0x00a0: 2061 7474 656d 7074 733d 3120 7374 6172 .attempts=1.star 0x00b0: 743d 2253 6174 204a 616e 2020 3620 3130 t="Sat.Jan..6.10 0x00c0: 3a34 393a 3231 2032 3031 3822 2065 6e64 :49:21.2018".end 0x00d0: 3d22 5361 7420 4a61 6e20 2036 2031 303a ="Sat.Jan..6.10: 0x00e0: 3439 3a32 3220 3230 3138 222e 0a01 0501 49:22.2018"..... 0x00f0: 0000 0000 .... 10:49:22.969620 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG local0.info, length: 264 out slot1/tmm0 lis= 0x0000: 4500 0124 e224 4000 4011 35a2 c8c8 c80b E..$.$@.@.5..... 0x0010: c8c8 c865 96e4 0202 0110 2324 3c31 3334 ...e......$<134 0x0020: 3e4a 616e 2020 3620 3130 3a34 393a 3232 >Jan..6.10:49:22 0x0030: 2076 6531 3361 2069 6e66 6f20 7373 6864 .ve13a.info.sshd 0x0040: 2870 616d 5f61 7564 6974 295b 3631 3533 (pam_audit)[6153 0x0050: 5d3a 2030 3130 3730 3431 373a 363a 2041 ]:.01070417:6:.A 0x0060: 5544 4954 202d 2075 7365 7220 726f 6f74 UDIT.-.user.root 0x0070: 202d 2052 4157 3a20 7373 6864 2870 616d .-.RAW:.sshd(pam 0x0080: 5f61 7564 6974 293a 2075 7365 723d 726f _audit):.user=ro 0x0090: 6f74 2872 6f6f 7429 2070 6172 7469 7469 ot(root).partiti 0x00a0: 6f6e 3d5b 416c 6c5d 206c 6576 656c 3d41 on=[All].level=A 0x00b0: 646d 696e 6973 7472 6174 6f72 2074 7479 dministrator.tty 0x00c0: 3d73 7368 2068 6f73 743d 3137 322e 3136 =ssh.host=172.16 0x00d0: 2e32 3034 2e33 3320 6174 7465 6d70 7473 .204.33.attempts 0x00e0: 3d31 2073 7461 7274 3d22 5361 7420 4a61 =1.start="Sat.Ja 0x00f0: 6e20 2036 2031 303a 3439 3a32 3120 3230 n..6.10:49:21.20 0x0100: 3138 2220 656e 643d 2253 6174 204a 616e 18".end="Sat.Jan 0x0110: 2020 3620 3130 3a34 393a 3232 2032 3031 ..6.10:49:22.201 0x0120: 3822 2e0a 0105 0100 0000 00 8"......... 10:49:22.974077 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG authpriv.info, length: 178 out slot1/tmm0 lis= 0x0000: 4500 00ce e226 4000 4011 35f6 c8c8 c80b E....&@.@.5..... 0x0010: c8c8 c865 96e4 0202 00ba 22ce 3c38 363e ...e......".<86> 0x0020: 4a61 6e20 2036 2031 303a 3439 3a32 3220 Jan..6.10:49:22. 0x0030: 7665 3133 6120 696e 666f 2073 7368 6428 ve13a.info.sshd( 0x0040: 7061 6d5f 6175 6469 7429 5b36 3135 305d pam_audit)[6150] 0x0050: 3a20 7573 6572 3d72 6f6f 7428 726f 6f74 :.user=root(root 0x0060: 2920 7061 7274 6974 696f 6e3d 5b41 6c6c ).partition=[All 0x0070: 5d20 6c65 7665 6c3d 4164 6d69 6e69 7374 ].level=Administ 0x0080: 7261 746f 7220 7474 793d 7373 6820 686f rator.tty=ssh.ho 0x0090: 7374 3d31 3732 2e31 362e 3230 342e 3333 st=172.16.204.33 0x00a0: 2061 7474 656d 7074 733d 3120 7374 6172 .attempts=1.star 0x00b0: 743d 2253 6174 204a 616e 2020 3620 3130 t="Sat.Jan..6.10 0x00c0: 3a34 393a 3232 2032 3031 3822 2e0a 0105 :49:22.2018".... 0x00d0: 0100 0000 00 ..... 10:49:22.974086 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG local0.info, length: 233 out slot1/tmm0 lis= 0x0000: 4500 0105 e227 4000 4011 35be c8c8 c80b E....'@.@.5..... 0x0010: c8c8 c865 96e4 0202 00f1 2305 3c31 3334 ...e.......<134 0x0020: 3e4a 616e 2020 3620 3130 3a34 393a 3232 >Jan..6.10:49:22 0x0030: 2076 6531 3361 2069 6e66 6f20 7373 6864 .ve13a.info.sshd 0x0040: 2870 616d 5f61 7564 6974 295b 3631 3530 (pam_audit)[6150 0x0050: 5d3a 2030 3130 3730 3431 373a 363a 2041 ]:.01070417:6:.A 0x0060: 5544 4954 202d 2075 7365 7220 726f 6f74 UDIT.-.user.root 0x0070: 202d 2052 4157 3a20 7373 6864 2870 616d .-.RAW:.sshd(pam 0x0080: 5f61 7564 6974 293a 2075 7365 723d 726f _audit):.user=ro 0x0090: 6f74 2872 6f6f 7429 2070 6172 7469 7469 ot(root).partiti 0x00a0: 6f6e 3d5b 416c 6c5d 206c 6576 656c 3d41 on=[All].level=A 0x00b0: 646d 696e 6973 7472 6174 6f72 2074 7479 dministrator.tty 0x00c0: 3d73 7368 2068 6f73 743d 3137 322e 3136 =ssh.host=172.16 0x00d0: 2e32 3034 2e33 3320 6174 7465 6d70 7473 .204.33.attempts 0x00e0: 3d31 2073 7461 7274 3d22 5361 7420 4a61 =1.start="Sat.Ja 0x00f0: 6e20 2036 2031 303a 3439 3a32 3220 3230 n..6.10:49:22.20 0x0100: 3138 222e 0a01 0501 0000 0000 18"......... ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel // remote syslog Jan 6 10:49:22 ve13a info sshd(pam_audit)[6153]: user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan 6 10:49:21 2018" end="Sat Jan 6 10:49:22 2018". Jan 6 10:49:22 ve13a info sshd(pam_audit)[6153]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan 6 10:49:21 2018" end="Sat Jan 6 10:49:22 2018". Jan 6 10:49:22 ve13a info sshd(pam_audit)[6150]: user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan 6 10:49:22 2018". Jan 6 10:49:22 ve13a info sshd(pam_audit)[6150]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan 6 10:49:22 2018".note: to rest syslog include, use syslog include none
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) modify sys syslog include none root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog sys syslog { }- mario365_345588
That worked! Thanks! I have one more request. I also need to log config changes from both CLI & GUI to the same syslog server. I have a guess on how its done (see below) but I'm not sure if I'm over simplifying it? Could you show me how to add more filters? Thank you.
sys syslog { include " destination d_loghost { udp("192.168.152.36" port(514)); }; log { source(s_syslog_pipe); filter(f_authpriv); filter(f_auditing); destination(d_loghost); }; " }
- nitass
hope this helps.
HOW CAN TWO OR MORE FILTERS BE COMBINED?
https://www.balabit.com/wiki/syslog-ng-faq-filters
- nitass_89166
e.g.
1) check to see if there is existing filter in syslog-ng.conf that we can use.
[root@ve13a:Active:In Sync] config awk '/ authpriv/,/^$/' /etc/syslog-ng/syslog-ng.conf authpriv.* /var/log/secure filter f_authpriv { (facility(auth, authpriv) and level(notice..emerg)) or program(sshd) or (facility(auth,authpriv) and (program(httpd) or program(tamd))) or message("pam_audit") ; };2) craft syslog include configuration
sys syslog { include " destination d_loghost { udp("200.200.200.101" port(514)); }; log { source(s_syslog_pipe); filter(f_authpriv); destination(d_loghost); }; " }3) merge the syslog include configuration into running configuration
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog sys syslog { } root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) load sys config from-terminal merge Enter configuration. Press CTRL-D to submit or CTRL-C to cancel. sys syslog { include " destination d_loghost { udp("200.200.200.101" port(514)); }; log { source(s_syslog_pipe); filter(f_authpriv); destination(d_loghost); }; " } Loading configuration... root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog sys syslog { include " destination d_loghost { udp(200.200.200.101 port(514)); }; log { source(s_syslog_pipe); filter(f_authpriv); destination(d_loghost); }; " }4) verify if only log we want is sent to remote syslog
// tcpdump *please be noted that interface 0.0 is used here because remote syslog is connected via tmm interface (not mgmt interface) [root@ve13a:Active:In Sync] config tcpdump -nni 0.0 -s0 host 200.200.200.101 and port 514 -X tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes 10:49:22.969608 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG authpriv.info, length: 209 out slot1/tmm0 lis= 0x0000: 4500 00ed e223 4000 4011 35da c8c8 c80b E....@.@.5..... 0x0010: c8c8 c865 96e4 0202 00d9 22ed 3c38 363e ...e......".<86> 0x0020: 4a61 6e20 2036 2031 303a 3439 3a32 3220 Jan..6.10:49:22. 0x0030: 7665 3133 6120 696e 666f 2073 7368 6428 ve13a.info.sshd( 0x0040: 7061 6d5f 6175 6469 7429 5b36 3135 335d pam_audit)[6153] 0x0050: 3a20 7573 6572 3d72 6f6f 7428 726f 6f74 :.user=root(root 0x0060: 2920 7061 7274 6974 696f 6e3d 5b41 6c6c ).partition=[All 0x0070: 5d20 6c65 7665 6c3d 4164 6d69 6e69 7374 ].level=Administ 0x0080: 7261 746f 7220 7474 793d 7373 6820 686f rator.tty=ssh.ho 0x0090: 7374 3d31 3732 2e31 362e 3230 342e 3333 st=172.16.204.33 0x00a0: 2061 7474 656d 7074 733d 3120 7374 6172 .attempts=1.star 0x00b0: 743d 2253 6174 204a 616e 2020 3620 3130 t="Sat.Jan..6.10 0x00c0: 3a34 393a 3231 2032 3031 3822 2065 6e64 :49:21.2018".end 0x00d0: 3d22 5361 7420 4a61 6e20 2036 2031 303a ="Sat.Jan..6.10: 0x00e0: 3439 3a32 3220 3230 3138 222e 0a01 0501 49:22.2018"..... 0x00f0: 0000 0000 .... 10:49:22.969620 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG local0.info, length: 264 out slot1/tmm0 lis= 0x0000: 4500 0124 e224 4000 4011 35a2 c8c8 c80b E..$.$@.@.5..... 0x0010: c8c8 c865 96e4 0202 0110 2324 3c31 3334 ...e......$<134 0x0020: 3e4a 616e 2020 3620 3130 3a34 393a 3232 >Jan..6.10:49:22 0x0030: 2076 6531 3361 2069 6e66 6f20 7373 6864 .ve13a.info.sshd 0x0040: 2870 616d 5f61 7564 6974 295b 3631 3533 (pam_audit)[6153 0x0050: 5d3a 2030 3130 3730 3431 373a 363a 2041 ]:.01070417:6:.A 0x0060: 5544 4954 202d 2075 7365 7220 726f 6f74 UDIT.-.user.root 0x0070: 202d 2052 4157 3a20 7373 6864 2870 616d .-.RAW:.sshd(pam 0x0080: 5f61 7564 6974 293a 2075 7365 723d 726f _audit):.user=ro 0x0090: 6f74 2872 6f6f 7429 2070 6172 7469 7469 ot(root).partiti 0x00a0: 6f6e 3d5b 416c 6c5d 206c 6576 656c 3d41 on=[All].level=A 0x00b0: 646d 696e 6973 7472 6174 6f72 2074 7479 dministrator.tty 0x00c0: 3d73 7368 2068 6f73 743d 3137 322e 3136 =ssh.host=172.16 0x00d0: 2e32 3034 2e33 3320 6174 7465 6d70 7473 .204.33.attempts 0x00e0: 3d31 2073 7461 7274 3d22 5361 7420 4a61 =1.start="Sat.Ja 0x00f0: 6e20 2036 2031 303a 3439 3a32 3120 3230 n..6.10:49:21.20 0x0100: 3138 2220 656e 643d 2253 6174 204a 616e 18".end="Sat.Jan 0x0110: 2020 3620 3130 3a34 393a 3232 2032 3031 ..6.10:49:22.201 0x0120: 3822 2e0a 0105 0100 0000 00 8"......... 10:49:22.974077 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG authpriv.info, length: 178 out slot1/tmm0 lis= 0x0000: 4500 00ce e226 4000 4011 35f6 c8c8 c80b E....&@.@.5..... 0x0010: c8c8 c865 96e4 0202 00ba 22ce 3c38 363e ...e......".<86> 0x0020: 4a61 6e20 2036 2031 303a 3439 3a32 3220 Jan..6.10:49:22. 0x0030: 7665 3133 6120 696e 666f 2073 7368 6428 ve13a.info.sshd( 0x0040: 7061 6d5f 6175 6469 7429 5b36 3135 305d pam_audit)[6150] 0x0050: 3a20 7573 6572 3d72 6f6f 7428 726f 6f74 :.user=root(root 0x0060: 2920 7061 7274 6974 696f 6e3d 5b41 6c6c ).partition=[All 0x0070: 5d20 6c65 7665 6c3d 4164 6d69 6e69 7374 ].level=Administ 0x0080: 7261 746f 7220 7474 793d 7373 6820 686f rator.tty=ssh.ho 0x0090: 7374 3d31 3732 2e31 362e 3230 342e 3333 st=172.16.204.33 0x00a0: 2061 7474 656d 7074 733d 3120 7374 6172 .attempts=1.star 0x00b0: 743d 2253 6174 204a 616e 2020 3620 3130 t="Sat.Jan..6.10 0x00c0: 3a34 393a 3232 2032 3031 3822 2e0a 0105 :49:22.2018".... 0x00d0: 0100 0000 00 ..... 10:49:22.974086 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG local0.info, length: 233 out slot1/tmm0 lis= 0x0000: 4500 0105 e227 4000 4011 35be c8c8 c80b E....'@.@.5..... 0x0010: c8c8 c865 96e4 0202 00f1 2305 3c31 3334 ...e.......<134 0x0020: 3e4a 616e 2020 3620 3130 3a34 393a 3232 >Jan..6.10:49:22 0x0030: 2076 6531 3361 2069 6e66 6f20 7373 6864 .ve13a.info.sshd 0x0040: 2870 616d 5f61 7564 6974 295b 3631 3530 (pam_audit)[6150 0x0050: 5d3a 2030 3130 3730 3431 373a 363a 2041 ]:.01070417:6:.A 0x0060: 5544 4954 202d 2075 7365 7220 726f 6f74 UDIT.-.user.root 0x0070: 202d 2052 4157 3a20 7373 6864 2870 616d .-.RAW:.sshd(pam 0x0080: 5f61 7564 6974 293a 2075 7365 723d 726f _audit):.user=ro 0x0090: 6f74 2872 6f6f 7429 2070 6172 7469 7469 ot(root).partiti 0x00a0: 6f6e 3d5b 416c 6c5d 206c 6576 656c 3d41 on=[All].level=A 0x00b0: 646d 696e 6973 7472 6174 6f72 2074 7479 dministrator.tty 0x00c0: 3d73 7368 2068 6f73 743d 3137 322e 3136 =ssh.host=172.16 0x00d0: 2e32 3034 2e33 3320 6174 7465 6d70 7473 .204.33.attempts 0x00e0: 3d31 2073 7461 7274 3d22 5361 7420 4a61 =1.start="Sat.Ja 0x00f0: 6e20 2036 2031 303a 3439 3a32 3220 3230 n..6.10:49:22.20 0x0100: 3138 222e 0a01 0501 0000 0000 18"......... ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel // remote syslog Jan 6 10:49:22 ve13a info sshd(pam_audit)[6153]: user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan 6 10:49:21 2018" end="Sat Jan 6 10:49:22 2018". Jan 6 10:49:22 ve13a info sshd(pam_audit)[6153]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan 6 10:49:21 2018" end="Sat Jan 6 10:49:22 2018". Jan 6 10:49:22 ve13a info sshd(pam_audit)[6150]: user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan 6 10:49:22 2018". Jan 6 10:49:22 ve13a info sshd(pam_audit)[6150]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan 6 10:49:22 2018".note: to rest syslog include, use syslog include none
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) modify sys syslog include none root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog sys syslog { }- mario365_345588
That worked! Thanks! I have one more request. I also need to log config changes from both CLI & GUI to the same syslog server. I have a guess on how its done (see below) but I'm not sure if I'm over simplifying it? Could you show me how to add more filters? Thank you.
sys syslog { include " destination d_loghost { udp("192.168.152.36" port(514)); }; log { source(s_syslog_pipe); filter(f_authpriv); filter(f_auditing); destination(d_loghost); }; " }
- nitass_89166
hope this helps.
HOW CAN TWO OR MORE FILTERS BE COMBINED?
https://www.balabit.com/wiki/syslog-ng-faq-filters
