Forum Discussion
Andy-didnt-like-uucp
Cirrus
Cirrusltm filter to allow audit to only remote syslog and without pollutins
hi guys
need to send only audit syslogs to remote servers but w/o pollutions described in ID 880565
will below do the job as expected? thanks in advance
include "
filter f_audit{
match(AUDIT);
};
filter f_audit_pollution {
not (facility(local0) and message(\"AUDIT\") and match(\"cmd_data=list cm device recursive|cmd_data=cd /\"));
};
destination d_syslog_server {
tcp(\"IP1\" port (514));
tcp(\"IP2\" port (514));
};
log {
source(s_syslog_pipe);
filter(f_audit);
filter(f_audit_pollution);
destination(d_syslog_server);
};"
- 1-Log in to the Configuration utility. 2-Go to System > Logs > Configuration > Remote Logging. 3-For Remote IP, enter the destination syslog server IP address, or FQDN. (DNS server configuration required) 4-For Remote Port, enter the remote syslog server UDP port (default is 514). 5-Select Add. 6-Select Update.
refer
https://my.f5.com/manage/s/article/K56602501
https://my.f5.com/manage/s/article/K13080
- Andy-didnt-like-uucp
in reality, that "01420002:5: AUDIT - pid=20740 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=list cm device recursive" were polluting audit logs even with recommended configuration.
so, i introduced above config & it worked for me.
thanks
- 1-Log in to the Configuration utility. 2-Go to System > Logs > Configuration > Remote Logging. 3-For Remote IP, enter the destination syslog server IP address, or FQDN. (DNS server configuration required) 4-For Remote Port, enter the remote syslog server UDP port (default is 514). 5-Select Add. 6-Select Update.
