Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

neeeewbie's avatar
neeeewbie
Icon for MVP rankMVP
Nov 11, 2021
Solved

How to configrue syslog include "space"

Hi guys    I need your help !!!        I have to configure syslog filter but space area does not enter the configuration   ex) and not match (aaa) >>> it is possible        and ...
application delivery
big-ip
  • JRahm's avatar
    JRahm
    Nov 12, 2021

    Updated...OK: apparently somewhere in the last 10 years since I looked at syslog-ng filters last, the "match" was deprecated for "message". So here's how I tested, and the results:

    sys syslog {
    include "
filter f_local0 {
   facility(local0) and not message(\"abc abc\");
};
filter f_local0_custom {
   facility(local0) and message(\"abc abc\");
};
destination d_customlog {
   file(\"/var/log/customlog\" create_dirs(yes));
};
log {
   source(local);
   filter(f_local0_custom);
   destination(d_customlog);
};
"
}

    Then I slapped this iRule on a test virtual and hit it from my desktop:

    when HTTP_REQUEST {
  log local0. "abc abc"
  log local0. "abc123 abc123"
  HTTP::respond 200 content "<html><body>sylog test initiating...</body></html>"
}

    And here are my logs:

    [root@ltm3:Active:Standalone] config # grep abc /var/log/ltm
Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
[root@ltm3:Active:Standalone] config # grep abc /var/log/customlog
Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc
Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc
JRahm's avatar
JRahm
Icon for Admin rankAdmin
Nov 12, 2021

Updated...OK: apparently somewhere in the last 10 years since I looked at syslog-ng filters last, the "match" was deprecated for "message". So here's how I tested, and the results:

sys syslog {
    include "
filter f_local0 {
   facility(local0) and not message(\"abc abc\");
};
filter f_local0_custom {
   facility(local0) and message(\"abc abc\");
};
destination d_customlog {
   file(\"/var/log/customlog\" create_dirs(yes));
};
log {
   source(local);
   filter(f_local0_custom);
   destination(d_customlog);
};
"
}

Then I slapped this iRule on a test virtual and hit it from my desktop:

when HTTP_REQUEST {
  log local0. "abc abc"
  log local0. "abc123 abc123"
  HTTP::respond 200 content "<html><body>sylog test initiating...</body></html>"
}

And here are my logs:

[root@ltm3:Active:Standalone] config # grep abc /var/log/ltm
Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
[root@ltm3:Active:Standalone] config # grep abc /var/log/customlog
Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc
Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc