Forum Discussion

mxu_65255's avatar
mxu_65255
Icon for Nimbostratus rankNimbostratus
Sep 04, 2009

How to filter syslog messages

Hi,

 

 

I tried to filter out some syslog messages using syslog include, but it seems filter does not work. My syslog server gets all syslog messages.

 

 

This is my reference:

 

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=155.

 

 

My device:

 

 

Product: BIG-IP

 

Version: 9.4.7

 

Build: 320.1

 

BaseBuild: 320.1

 

Edition: Final

 

 

 

My syslog.inc

 

syslog include "

 

destination remote_server {

 

tcp(\"192.168.20.83\" port (514));

 

};

 

filter f_local0.info {

 

facility(local0) and level(notice) and match(\"AUDIT\");

 

};

 

filter f_no_local6 {

 

not facility(local6);

 

};

 

 

destination d_ltm {

 

file(\"/var/log/ltm\" create_dirs(yes));

 

};

 

 

log {

 

source(local);

 

filter(f_local0.info);

 

filter(f_no_local6);

 

destination(d_ltm);

 

destination(remote_server);

 

};"

 

 

Another thing I did was setting remote server:

 

bigpipe syslog remote server 192.168.20.83, otherwise, I could not get syslog.

 

 

Is there anything wrong with the configure? How to I filter syslog for this version of f5?

 

 

Thanks,

 

 

Minquan

 

 

 

config
design
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Sep 08, 2009
    Hi Minquan,

    I think the issue is with the the log statement. Also, there is no need to recreate objects which already exist if you're not re-defining them with modifications (like destination d_ltm).

    To undo the past changes, you can edit the /config/bigip_sys.conf file and remove the configuration section, syslog {} and then run 'b load'. This will update the syslog-ng.conf file in /etc/syslog-ng (linked to /var/run/config/syslog-ng.conf).

    Then try this for the syslog include file: 

     
 syslog include " 
 destination remote_server { 
    tcp(\"192.168.20.83\" port (514)); 
 }; 
 filter f_local0_audit.info { 
    facility(local0) and level(notice) and match(\"AUDIT\"); 
 }; 
 log { 
    source(local); 
    filter(f_local0_audit.info); 
    destination(remote_server); 
 };"

    You should use the syslog include file method or the 'b syslog remote server x.x.x.x' method, but not both.

    You can use 'b syslog list all' to see the entire syslog-ng configuration running in memory.

    Aaron
  • mxu_65255's avatar
    mxu_65255
    Icon for Nimbostratus rankNimbostratus
    Sep 08, 2009
    Hi Aaron,

     

     

    Thank you very much! Your solution works perfect for me.

     

     

    Minquan