Forum Discussion
Rodrigo_Mori_13
Cirrus
CirrusConfiguring Syslog Server for a Specific Virtual Server
Hi, guys
I have an application in BIG IP, according to the image.
I need all the IPs that have accessed VS_APP1 to be registered on the syslog server.
Someone could help me set this up...
Greetings,
I haven't used the virtual server's Request Logging profile much, but was able to create a profile that logs the source IP address of the connecting client:
In the Request profile Template section, I simply entered:
Client IP is: ${CLIENT_IP}
And it was sent to the remote syslog:
14:10:53.969588 IP 10.12.23.120.48392 > 10.12.23.27.514: [|syslog] 0x0000: 4500 0037 cb69 4000 ff11 6da1 0a0c 1778 E..7.i@...m....x 0x0010: 0a0c 171b bd08 0202 0023 7989 436c 6965 .........y.Clie 0x0020: 6e74 2049 5020 6973 3a20 3130 2e31 322e nt.IP.is:.10.12. 0x0030: 3235 302e 3133 30 250.130Hope this is useful!
Kevin
Greetings,
I haven't used the virtual server's Request Logging profile much, but was able to create a profile that logs the source IP address of the connecting client:
In the Request profile Template section, I simply entered:
Client IP is: ${CLIENT_IP}
And it was sent to the remote syslog:
14:10:53.969588 IP 10.12.23.120.48392 > 10.12.23.27.514: [|syslog]
0x0000: 4500 0037 cb69 4000 ff11 6da1 0a0c 1778 E..7.i@...m....x
0x0010: 0a0c 171b bd08 0202 0023 7989 436c 6965 .........y.Clie
0x0020: 6e74 2049 5020 6973 3a20 3130 2e31 322e nt.IP.is:.10.12.
0x0030: 3235 302e 3133 30 250.130
Hope this is useful!
Kevin
Rodrigo_Mori_13In case, for me to send the log to the "Local 6" Syslog server, how can this be done?
Hi Rodrigo,
In researching, it seems local0 to local7 are reserved for local use. So a custom application running on the server can log to it's own file. There's probably some simple way to hack remote message using local facility, but I wasn't able to come up with one.The best I could do was add the following line to my rsyslog config:
if $fromhost-ip startswith '10.12.23.' then /var/log/local6.log
tail -f /var/log/local6.log
Oct 4 08:34:54 local6.notice Client IP is: 10.12.250.130
Hope this is somewhat helpful, let us know if you come up with something!
Thanks,
Kevin- Rodrigo_Mori_13
Hi, kevin
I configured the profile "request logging".
The problem I'm having is that on the production ssyslog (Linux) server the access information does not appear.
I installed a syslog program on my computer for testing (3CDaemon program) and in this case the access information appeared correctly.
It seems that BIG-IP forwards this information to a "user.info" facility, and this facility is what does not appear on the production syslog server.
You would have to see a way for this information to be routed to some "local (1-6) location on the production syslog server."
- Rodrigo_Mori_13
I'm guessing here, but it looks like you may have defined a "Remote Syslog Server" and the BIG-IP system is sending all logs to the syslog server rather than just those messages defined in the request logging profile. My request logging message only contain what I've configured in the profile.
So, it seems there are two options: either disable the Remote Syslog Server option or perhaps figure a way to filter based on user.info in the syslog configuration?
I can look into the syslog filter once I have some free time. Not my current area of expertise unfortunately.