Forum Discussion
smp_86112
Cirrostratus
CirrostratusCustomizing syslog-ng f_local0 filter
This is for v10.1.0.
I have developed an iRule that provides us with some useful troubleshooting information by sending useful events to a custom log file. Syslog-ng was set up to capture these events based on a custom syslog-ng filter I added using the "b syslog include" statement which looks for a custom string pattern. This all works fine and good. The issue I've got is that because of the default f_local0 filter, these log messages are also being sent to the /var/log/ltm file. I want to isolate these logging events to my custom log file by adding an exclusion statement in the f_local0 filter. However the top of the syslog-ng.conf file warns against editing the file directly, and the bigpipe syslog command doesn't seem to provide any way to customize built-in filters. Is there another way to customize the default syslog-ng filters using the bigpipe syslog command?
hoolioHi SMP,
You should be able to redefine the default d_ltm filter using the steps outline in Deb's article:
LTM 9.4.2+: Custom Syslog Configuration
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=155
See the section titled: Modifying the default logging
Aaron
smp_86112Hi Hoolio,
Thanks for the reference. The document doesn't explicitly state how this works. It sort of implies that it works because the include statement is the last statement to load - much like apache's config file. Is that what I'm supposed to assume?- hoolioThat's what I got from the article as well. If I remember correctly... If you try to define an object which already exists in the default syslog-ng config using an include file, it just redefines the object (and does not modify the previously defined object).
Aaron - smp_86112
"...and overrides the default object definitions, since the include statement is the last one to load." That's a critical piece that's missing in the doc, in my opinion. My testing today confirmed my suspicion - the "bigpipe syslog include" command overrides everything else. Here's the syslog-ng customization I developed to send a subset of log entries to a custom log file. In my logging iRule, I simply need to add a "" custom string to the log output. I chose to match the string ": " instead of just "" in the f_local0 filter because it was capturing AUDIT logging events in the /var/log/customlog every time I modified the iRule.
Logging iRule Definition
Syslog-ng Includewhen CLIENT_ACCEPTED { log local0. "this goes to /var/log/ltm" log local0. "this goes to /var/log/customlog" }
Note that including the definition for filter "f_local0" overrides the built-in definition because the include definition is the last one to load:b syslog include '" filter f_local0 { facility(local0) and not match(\": \"); }; filter f_local0_customlog { facility(local0) and match(\": \"); }; destination d_customlog { file(\"/var/log/customlog\" create_dirs(yes)); }; log { source(local); filter(f_local0_customlog); destination(d_customlog); }; "' - hoolioThat's a novel approach with the two hashes for differentiating the custom iRule logging from standard logging.
Aaron