Forum Discussion
NimbostratusHow can I stop sending logging to local /var/log/ltm and send only to splunk via HSL
Hello, I have 2 questions, both related. I am using the iapp template and am sending my /var/log/ltm data to splunk. I have a need to send all connection data (9 viprion vcmp guests) from tcp/udp/ip client_accepted, server_connected, server_closed and client_closed events, so lots of data.
First question:
I have the analytics-iapp template configured to use splunk and HSL logging and I have the Local System Logging (syslog) setting set to "no" but it is still sending all the log data to /var/log/ltm.
It does also send the data to splunk. I am concerned about filling up /var/log/ltm file system. I am using "log local0.info ...." to capture my log traffic - is that why logging is still going to /var/log/ltm ? How do I get it to only send my log data to splunk?
Second question: I have about 1000 virtual servers that I need to execute my logging collection irule on. Is there a global place that I can just put this irule once instead of adding it to every virtual server ?
Simon_BlakelyEmployee
It does also send the data to splunk. I am concerned about filling up /var/log/ltm file system.
Logrotate will restrict the size of the files in /var/log, but you can still outlog logrotate and cause space issues.
I am using "log local0.info ...." to capture my log traffic - is that why logging is still going to /var/log/ltm ? How do I get it to only send my log data to splunk?
Open the HSL destination and log directly using HSL::send
HSL::open
HSL::sendSecond question: I have about 1000 virtual servers that I need to execute my logging collection irule on. Is there a global place that I can just put this irule once instead of adding it to every virtual server ?
No. There is no inheritance mechanism for virtuals, so you need to add your logging irule to each virtual. You could write a bash script to iterate through all the virtuals and modify them, or use iControl.