For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

neeeewbie's avatar
neeeewbie
Icon for MVP rankMVP
Nov 12, 2021
Solved

How to configrue syslog include "space"

Hi guys 

 

I need your help !!! 

 

 

 

I have to configure syslog filter but space area does not enter the configuration

 

ex) and not match (aaa) >>> it is possible 

 

    and not match (a a) >>>>> it is not possible

 

 

 

I guess it is relate to space area 

 

so, how to configure include "space" ?

 

 

 

thank you

application delivery
BIG-IP
  • JRahm's avatar
    JRahm
    Nov 12, 2021

    Updated...OK: apparently somewhere in the last 10 years since I looked at syslog-ng filters last, the "match" was deprecated for "message". So here's how I tested, and the results:

    sys syslog {
    include "
filter f_local0 {
   facility(local0) and not message(\"abc abc\");
};
filter f_local0_custom {
   facility(local0) and message(\"abc abc\");
};
destination d_customlog {
   file(\"/var/log/customlog\" create_dirs(yes));
};
log {
   source(local);
   filter(f_local0_custom);
   destination(d_customlog);
};
"
}

    Then I slapped this iRule on a test virtual and hit it from my desktop:

    when HTTP_REQUEST {
  log local0. "abc abc"
  log local0. "abc123 abc123"
  HTTP::respond 200 content "<html><body>sylog test initiating...</body></html>"
}

    And here are my logs:

    [root@ltm3:Active:Standalone] config # grep abc /var/log/ltm
Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
[root@ltm3:Active:Standalone] config # grep abc /var/log/customlog
Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc
Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc

5 Replies

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Nov 12, 2021

    Updated...OK: apparently somewhere in the last 10 years since I looked at syslog-ng filters last, the "match" was deprecated for "message". So here's how I tested, and the results:

    sys syslog {
    include "
filter f_local0 {
   facility(local0) and not message(\"abc abc\");
};
filter f_local0_custom {
   facility(local0) and message(\"abc abc\");
};
destination d_customlog {
   file(\"/var/log/customlog\" create_dirs(yes));
};
log {
   source(local);
   filter(f_local0_custom);
   destination(d_customlog);
};
"
}

    Then I slapped this iRule on a test virtual and hit it from my desktop:

    when HTTP_REQUEST {
  log local0. "abc abc"
  log local0. "abc123 abc123"
  HTTP::respond 200 content "<html><body>sylog test initiating...</body></html>"
}

    And here are my logs:

    [root@ltm3:Active:Standalone] config # grep abc /var/log/ltm
Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
[root@ltm3:Active:Standalone] config # grep abc /var/log/customlog
Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc
Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc