Forum Discussion

Cirrus

Oct 03, 2017

Solved

Configuring Syslog Server for a Specific Virtual Server

Hi, guys I have an application in BIG IP, according to the image. I need all the IPs that have accessed VS_APP1 to be registered on the syslog server. Someone could help me set this up...

application delivery

BIG-IP

LTM

Kevin_K_51432
Oct 03, 2017
Greetings,

I haven't used the virtual server's Request Logging profile much, but was able to create a profile that logs the source IP address of the connecting client:

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-11-5-0/1.html

In the Request profile Template section, I simply entered:

Client IP is: ${CLIENT_IP}

And it was sent to the remote syslog:

14:10:53.969588 IP 10.12.23.120.48392 > 10.12.23.27.514: [|syslog] 0x0000: 4500 0037 cb69 4000 ff11 6da1 0a0c 1778 E..7.i@...m....x 0x0010: 0a0c 171b bd08 0202 0023 7989 436c 6965 .........y.Clie 0x0020: 6e74 2049 5020 6973 3a20 3130 2e31 322e nt.IP.is:.10.12. 0x0030: 3235 302e 3133 30 250.130

Hope this is useful!

Kevin

bogdanalexandru

Nimbostratus

Jun 28, 2018

It's all about the default syslog message format as it turns out.

Here's what worked for me:

Request Logging Template = $DATE_MON $DATE_DD $TIME_HMS slot1/NNORM3-LB002V01 notice msg[HTTP-REQ-LOG] src-ip=$CLIENT_IP method=$HTTP_METHOD uri=$HTTP_URI* everything that is not preceded by $ (text in bold) is just simple text i entered that appears "as is" in logs
syslog-ng filter = host("NNORM3-LB002V01" ) and match("HTTP-REQ-LOG" value("MESSAGE"))
log message example = Jun 29 01:28:27 slot1/NNORM3-LB002V01 notice msg[HTTP-REQ-LOG] src-ip=10.250.158.188 method=GET uri=/dsa-claims

Inspired by: https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/configuring-macros.html

Enjoy

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)