LTM Local Logging Question

Hi,

 

 

If you can log the messages to an external syslog server, you can use the log command to send the messages directly from an iRule:

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/log

 

log [-noname] [:] .[]

 

 

If a remote server isn't an option, it would be cleaner to configure syslog-ng to send specific messages to a separate file than take a default syslog facility and use it for your logging. The concept for configuring syslog is relatively simple. You'd want to create a new filter which states which syslog facility to check and which messages to match or not match on, a new destination which states where to send the messages and a new log statement which implements the first two configuration objects.

 

 

There are some examples in this Codeshare for the pre-9.4.2 configuration:

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/LogHttpTcpUdpToSyslogng

 

 

You would then need to modify the existing log filter to not match the specific messages if you don't want those messages logged to the default file.

 

 

So that's the end goal for the syslog-ng configuration. Then you need to use the b syslog command to add this configuration to the bigip_sys.conf file. Deb wrote a helpful article on this:

 

 

LTM 9.4.2+: Custom Syslog Configuration

 

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=155

 

 

And here are a few related posts:

 

 

How to filter syslog messages

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=31&tpage=1&view=topic&postid=62132

 

 

syslog-ng filter not working

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=56442

 

 

Aaron

This is EXACTLY what I'm looking for.Wish I could get it to work

 

 

Here is what I'm using...

 

when HTTP_REQUEST {

 

set http_request_time [clock clicks -milliseconds]

 

set request_log_line "\

 

[HTTP::request_num],\

 

[IP::remote_addr],\

 

[HTTP::method],\

 

[HTTP::version],\

 

[HTTP::host],\

 

[LB::server],\

 

\"[HTTP::uri]\",\

 

\"[HTTP::header value Referer]\",

 

\"[HTTP::header User-Agent]\",\

 

\"[HTTP::cookie value JSESSIONID]\",\

 

[SSL::cipher name],\

 

[SSL::cipher version],\

 

[SSL::cipher bits]"

 

}

 

when HTTP_RESPONSE {

 

set http_response_time [ clock clicks -milliseconds ]

 

log 10.1.3.31 local0.info "$request_log_line,\

 

[HTTP::status],\

 

[HTTP::payload length],\

 

[expr $http_response_time - $http_request_time]"

 

}

 

 

I use the same rule to log to the local syslog on my BigIP (log local0. "$request_log_line,\) and it works flawlessly.

 

However, when trying to log to the remote box 10.1.3.31 (Using the KIWI Syslog Daemon from Solarwinds) I get nothing. Sniffing with WireShark, I don't see anything coming from my BigIP.

 

 

Any comments or thoughts are MOST welcome !!

Which LTM version are you running? For 9.4.2+ it would probably be easiest and most efficient to use the log option. For previous versions, how have you configured syslog-ng.conf to send the messages remotely?

 

 

Aaron

Thanks, Hoolio !

 

This is BIG-IP 9.4.4 Build 65.1 Final -

 

 

What you suggest is exactly what I want to do... in my remote-logging iRule, ive put

 

 

log 10.1.3.31 local0.info "$request_log_line,

 

 

which seems to relate to your suggestion..

 

log [-noname] [:] .[]

Got it figgered out.

 

Syslog traffic wasn't traveling over my management network.

 

 

all is well, this is KILLER !

Yes, I think because TMM sends the syslog messages directly (bypassing syslog-ng) the syslog server must be on a TMM network--not the management.

 

 

Glad you got this working. It would be good to consider upgrading to 9.4.8 when you have a chance.

 

 

Aaron