Forum Discussion

smp_86112's avatar
smp_86112
Icon for Cirrostratus rankCirrostratus
May 04, 2010

Customizing syslog-ng f_local0 filter

This is for v10.1.0.     I have developed an iRule that provides us with some useful troubleshooting information by sending useful events to a custom log file. Syslog-ng was set up to capture ...
management
monitoring
smp_86112's avatar
smp_86112
Icon for Cirrostratus rankCirrostratus
May 05, 2010

"...and overrides the default object definitions, since the include statement is the last one to load." That's a critical piece that's missing in the doc, in my opinion. My testing today confirmed my suspicion - the "bigpipe syslog include" command overrides everything else. Here's the syslog-ng customization I developed to send a subset of log entries to a custom log file. In my logging iRule, I simply need to add a "" custom string to the log output. I chose to match the string ": " instead of just "" in the f_local0 filter because it was capturing AUDIT logging events in the /var/log/customlog every time I modified the iRule.

Logging iRule Definition


when CLIENT_ACCEPTED {
    log local0. "this goes to /var/log/ltm"
    log local0. "this goes to /var/log/customlog"
}

Syslog-ng Include

 

Note that including the definition for filter "f_local0" overrides the built-in definition because the include definition is the last one to load:


b syslog include '"
    filter f_local0 {
        facility(local0) and not match(\": \");
    };
    filter f_local0_customlog {
        facility(local0) and match(\": \");
    };
    destination d_customlog {
        file(\"/var/log/customlog\" create_dirs(yes));
    };
    log {
        source(local); filter(f_local0_customlog); destination(d_customlog);
    };
"'