Forum Discussion
Configuring Syslog Server for a Specific Virtual Server
- Oct 03, 2017
Greetings,
I haven't used the virtual server's Request Logging profile much, but was able to create a profile that logs the source IP address of the connecting client:
In the Request profile Template section, I simply entered:
Client IP is: ${CLIENT_IP}
And it was sent to the remote syslog:
14:10:53.969588 IP 10.12.23.120.48392 > 10.12.23.27.514: [|syslog] 0x0000: 4500 0037 cb69 4000 ff11 6da1 0a0c 1778 E..7.i@...m....x 0x0010: 0a0c 171b bd08 0202 0023 7989 436c 6965 .........y.Clie 0x0020: 6e74 2049 5020 6973 3a20 3130 2e31 322e nt.IP.is:.10.12. 0x0030: 3235 302e 3133 30 250.130
Hope this is useful!
Kevin
Greetings,
I haven't used the virtual server's Request Logging profile much, but was able to create a profile that logs the source IP address of the connecting client:
In the Request profile Template section, I simply entered:
Client IP is: ${CLIENT_IP}
And it was sent to the remote syslog:
14:10:53.969588 IP 10.12.23.120.48392 > 10.12.23.27.514: [|syslog]
0x0000: 4500 0037 cb69 4000 ff11 6da1 0a0c 1778 E..7.i@...m....x
0x0010: 0a0c 171b bd08 0202 0023 7989 436c 6965 .........y.Clie
0x0020: 6e74 2049 5020 6973 3a20 3130 2e31 322e nt.IP.is:.10.12.
0x0030: 3235 302e 3133 30 250.130
Hope this is useful!
Kevin
- Rodrigo_Mori_13Oct 04, 2017Cirrus
In case, for me to send the log to the "Local 6" Syslog server, how can this be done?
- Kevin_K_51432Oct 04, 2017Historic F5 Account
Hi Rodrigo,
The best I could do was add the following line to my rsyslog config:
if $fromhost-ip startswith '10.12.23.' then /var/log/local6.log
tail -f /var/log/local6.log
Oct 4 08:34:54 local6.notice Client IP is: 10.12.250.130
Hope this is somewhat helpful, let us know if you come up with something!
Thanks,
- Rodrigo_Mori_13Oct 05, 2017Cirrus
Hi, kevin
I configured the profile "request logging".
The problem I'm having is that on the production ssyslog (Linux) server the access information does not appear.
I installed a syslog program on my computer for testing (3CDaemon program) and in this case the access information appeared correctly.
It seems that BIG-IP forwards this information to a "user.info" facility, and this facility is what does not appear on the production syslog server.
You would have to see a way for this information to be routed to some "local (1-6) location on the production syslog server."
- Rodrigo_Mori_13Oct 05, 2017Cirrus
- Kevin_K_51432Oct 05, 2017Historic F5 Account
I'm guessing here, but it looks like you may have defined a "Remote Syslog Server" and the BIG-IP system is sending all logs to the syslog server rather than just those messages defined in the request logging profile. My request logging message only contain what I've configured in the profile.
So, it seems there are two options: either disable the Remote Syslog Server option or perhaps figure a way to filter based on user.info in the syslog configuration?
I can look into the syslog filter once I have some free time. Not my current area of expertise unfortunately.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com