Forum Discussion
NimbostratusLimit syslog messages
Hello,
I have set up the remote logging from the BigIP GUI and the syslog got many messages as shown below:
Feb 27 00:14:01 ltm1 debug crond[13387]: pam_unix(crond:session): session opened for user syscheck by (uid=0) Feb 27 00:14:01 ltm1 debug crond[13387]: pam_unix(crond:session): session closed for user syscheck Feb 27 00:15:01 ltm1 debug crond[13389]: pam_unix(crond:session): session opened for user root by (uid=0) Feb 27 00:15:01 ltm1 debug crond[13390]: pam_unix(crond:session): session opened for user root by (uid=0) Feb 27 00:15:01 ltm1 debug crond[13389]: pam_unix(crond:session): session closed for user root Feb 27 00:15:01 ltm1 debug crond[13390]: pam_unix(crond:session): session closed for user root Feb 27 00:16:02 ltm1 debug crond[13393]: pam_unix(crond:session): session opened for user syscheck by (uid=0) Feb 27 00:16:02 ltm1 debug crond[13393]: pam_unix(crond:session): session closed for user syscheck Feb 27 00:18:01 ltm1 debug crond[13395]: pam_unix(crond:session): session opened for user syscheck by (uid=0) Feb 27 00:18:01 ltm1 debug crond[13395]: pam_unix(crond:session): session closed for user syscheck Feb 27 00:20:01 ltm1 debug crond[13397]: pam_unix(crond:session): session opened for user root by (uid=0) Feb 27 00:20:01 ltm1 debug crond[13399]: pam_unix(crond:session): session opened for user syscheck by (uid=0) Feb 27 00:20:01 ltm1 debug crond[13398]: pam_unix(crond:session): session opened for user root by (uid=0) Feb 27 00:20:01 ltm1 debug crond[13397]: pam_unix(crond:session): session closed for user root Feb 27 00:20:01 ltm1 debug crond[13398]: pam_unix(crond:session): session closed for user root Feb 27 00:20:01 ltm1 debug crond[13399]: pam_unix(crond:session): session closed for user syscheck Feb 27 00:21:01 ltm1 debug crond[13411]: pam_unix(crond:session): session opened for user root by (uid=0) Feb 27 00:21:02 ltm1 debug crond[13411]: pam_unix(crond:session): session closed for user root Feb 27 00:22:01 ltm1 debug crond[13461]: pam_unix(crond:session): session opened for user syscheck by (uid=0)
I tried to limit these log messages (monitor only /var/ltm) by editing the syslog all-properties:
modify syslog { auth-priv-from notice auth-priv-to emerg console-log enabled cron-from warning cron-to emerg daemon-from notice daemon-to emerg description none include " filter f_local0 { facility(local0); };
log {
source(s_syslog_pipe);
filter(f_local0);
};
"
iso-date disabled
kern-from debug
kern-to emerg
local6-from notice
local6-to emerg
mail-from notice
mail-to emerg
messages-from notice
messages-to warning
remote-servers replace-all-with {
remotesyslog1 {
description none
host x.x.x.x
local-ip none
remote-port 514
}
}
user-log-from notice
user-log-to emerg
}
But I still have the same messages on the remote syslog. Do I have to review the configuration? What am I missing?
thank you.
3 Replies
amolariCirrostratus
the messages you see are from cron.
In your config, try to add
cron-from warning
cron-to emerg
That should be the default settings. To view the full syslog settings: "tmsh list sys syslog all-properties"
- ILIAS_g_183177
Thank you.
I did that and now I can see that it doesn't produce such messages. But this TMSH configuration doesn't produce any GUI configuration, meaning that these changes are not shown anywhere in the Logs->Configuration. Is this how it works?
- nitass
Employee
i understand log level in tmsh list sys syslog all-properties does not apply to remote syslog. syslog include is needed to filter remote syslog message.
Note: The log levels displayed in the output of the bigpipe syslog list all command do not apply to remote syslog servers.sol8260: Configuring syslog settings from the command line (9.x - 10.x)
https://support.f5.com/kb/en-us/solutions/public/8000/200/sol8260.htmlsol13333: Filtering log messages sent to remote syslog servers (11.x)
https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13333.html
