ltm filter to allow audit to only remote syslog and without pollutins

Question

hi guysneed to send only audit syslogs to remote servers but w/o pollutions described in ID 880565will below do the job as expected? thanks in advanceinclude "filter f_audit{match(AUDIT);};filter f_audit_pollution {not (facility(local0) and message(\"AUDIT\") and match(\"cmd_data=list cm device recursive|cmd_data=cd /\"));};destination d_syslog_server {tcp(\"IP1\" port (514));tcp(\"IP2\" port (514));};log {source(s_syslog_pipe);filter(f_audit);filter(f_audit_pollution);destination(d_syslog_server);};"

f5_design_engineer · Answer

1-Log in to the Configuration utility. 2-Go to System &gt; Logs &gt; Configuration &gt; Remote Logging. 3-For Remote IP, enter the destination syslog server IP address, or FQDN. (DNS server configuration required) 4-For Remote Port, enter the remote syslog server UDP port (default is&nbsp;514). 5-Select Add. 6-Select Update.
refer
&nbsp;
https://my.f5.com/manage/s/article/K56602501
https://my.f5.com/manage/s/article/K13080
&nbsp;

andy-didnt-like-uucp · Answer

in reality, that "01420002:5: AUDIT - pid=20740 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=list cm device recursive" were polluting audit logs even with recommended configuration.

so, i introduced above config & it worked for me.
thanks

Forum Discussion

ltm filter to allow audit to only remote syslog and without pollutins

2 Replies

Recent Discussions

Reliable resources for identifying IP addresses

Maximum throughput of f5 ltm

Issue on license renewal

iRule cookie persistence and pool redirect

redirect not working

Related Content

BGP - filtering kernel redistribution

ASM filtered HTML exceeded limit: event code C190 Filtered Response HTML exceeded max limit

Filtering traffic based on client ip address and URL

X-Forwarded-For Log Filter for Windows Servers

IIS X-Forward-For ISAPI Filter