Forum Discussion
Nimbostratusirule to filter out all local0
Hello everyone...
I'm a noob to irules, and I would like to start high speed logging, and filter out all local0 messages and prevent them from being transmitted, all other messages should be sent in cef format to 2 specific syslog servers; however, all syslog messages must be sent to a 3rd syslog server in standard syslog format, for this I have just configured standard syslog as found in list sys syslog.
Here's how far I have got: for hsl I have an irule as follows; when CLIENT_ACCEPTED { set hsl [HSL::open -proto UDP -pool QA_Syslog] }
This is what I would put at the top of the list on the virtual server. Then I have this irule for the none logging of local0 messages; } when CLIENT_ACCEPTED { HSL::not send [HSL::open -proto UDP -pool ] "<135> iRule c-ip=[IP::client_addr]^^method=$http_method^^uri=$http_uri^^host=$http_host^^s-ip=[LB::server addr]^^pool-name=All_Envision__[LB::server pool]^^s-port=[LB::server port]^^status=[HTTP::status]\n" }
I wanted to get to a point where the written irule is worth testing in a pre-prod environment.
Thank you for reading, I hope it makes sense.
Everyone's thoughts appreciated. Regards
4 Replies
- Kevin_Stewart
Employee
Just for clarification, are you wanting to send all local0 (and other facilities logs) to one syslog server, and then specific traffic to another? An HSL is only going to send what you want it to send, so you could:
- Modify local syslog-ng to send multiple facilities to a syslog server (vs. local)
sol13083: Configuring syslog settings from the command line (11.x)
Traffic Management Shell (tmsh) Reference Guide
- Configure an HSL iRule or a request logging profile to send specific information to another syslog server.
Mr_K_130002Thanks for your response; just to clarify; From the F5, send all syslog messages in CEF, except local0, to log server1 and log server2, plus, send all syslog messages in native syslog to log server3.
So, I have the second part working fine; all syslog messages are being sent natively to log server3, what I now need is everying except local0 sent to log server1 and log server2 in CEF format, so I have this rule;
when CLIENT_ACCEPTED { HSL::not send [HSL::open -proto UDP -pool ] "<135> iRule c-ip=[IP::client_addr] }
Also, what's the best way to have the syslog generated messages sent in CEF format?
Many thanks
- Kevin_Stewart
How have you configured the second part - sending all syslog messages to server 3?
Again, an HSL is only going to send what you want it to send. Local0. is really irrelevant here because that's a local facility that just gets dumped to /var/log/ltm. If you want to send something specifically to a remote syslog server, your HSL command will have to define that information. You can alternately, and probably more easily, use a Request Logging profile instead of an HSL iRule. You'll need to modify the required CEF format yourself, but then the profile can be added to any VIP. See the following for more information on the Request Logging profile.
Manual Chapter: Configuring Request Logging
Also, here's an example of a CEF-like message defined in a Request Logging template:
CEF:0|F5|LTM|11.3|$BIGIP_HOSTNAME|REQUEST|Request to: $VIRTUAL_IP|info|Request from: $CLIENT_IP|Request URI: $HTTP_REQUEST - Mr_K_130002
Sending all syslog messages to server3 is just configured through modify syslog remote-servers add etc.
I understand what HSL will do, just send whatever you ask it send, and as fast as possible, I see what your saying about the HSL command, I think I'll investigate the logging profile route, thanks for sending the links. Thanks very much for your responses.
