For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mxu_65255's avatar
mxu_65255
Icon for Nimbostratus rankNimbostratus
Sep 04, 2009

How to filter syslog messages

Hi,     I tried to filter out some syslog messages using syslog include, but it seems filter does not work. My syslog server gets all syslog messages.     This is my reference: ...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Sep 08, 2009
Hi Minquan,

I think the issue is with the the log statement. Also, there is no need to recreate objects which already exist if you're not re-defining them with modifications (like destination d_ltm).

To undo the past changes, you can edit the /config/bigip_sys.conf file and remove the configuration section, syslog {} and then run 'b load'. This will update the syslog-ng.conf file in /etc/syslog-ng (linked to /var/run/config/syslog-ng.conf).

Then try this for the syslog include file: 

 
 syslog include " 
 destination remote_server { 
    tcp(\"192.168.20.83\" port (514)); 
 }; 
 filter f_local0_audit.info { 
    facility(local0) and level(notice) and match(\"AUDIT\"); 
 }; 
 log { 
    source(local); 
    filter(f_local0_audit.info); 
    destination(remote_server); 
 };"

You should use the syslog include file method or the 'b syslog remote server x.x.x.x' method, but not both.

You can use 'b syslog list all' to see the entire syslog-ng configuration running in memory.

Aaron