Forum Discussion
NimbostratusLTM logs to external syslog (Splunk)
Hello Experts
I want to send LTM logs to syslog server. When I configure syslog server then by default what logs of LTM will be send to syslog? I want below, should I need to write an IRULE for this:
1- Each client IP and going to which pool member (which server was selected) 2- No of transactions per Virtual Server 3- Pool member health status 4- Virtual Server health status
Appreciated reply
16 Replies
cdougall_14195Cirrus
You're looking for connection logging. There's a couple of very good articles out there about using High Speed Logging.
Here's a couple of other dev central resources for you.
https://devcentral.f5.com/wiki/irules.HSL.ashx https://devcentral.f5.com/questions/logging-client-connections-to-syslog
- ghost-rider_124Thanks for the reply. What about LTM other logs like pool member up/down etc? I will come without HSL. Because I am not able to see any such logs
shaggypool member up/down (and everything else in /var/log/ltm) will be sent to a remote syslog server if a remote server is configured. connection information should be gathered via irule or logging profile and sent to a remote server using HSL
James_124570Is it really a good idea to attach an iRule to that scans every packet to a production virtual server? There has to be a better. Just my thoughts.
- cdougall_14195
1- Each client IP and going to which pool member (which server was selected)
- High Speed Logging. See the links above.2- No of transactions per Virtual Server
- can be extrapolated from the connection logging information. Usually done on a reporting server. However, you can get this information directly from the box by looking at Virtual Server Statistics.3- Pool member health status
- This is found in /var/log/ltm. If you configure syslog like Shaggy mentioned, you're all set.4- Virtual Server health status
- See "3" from above. - ghost-rider_124
Thanks a lot. So If I configure syslog under under system -> logging then /var/log/ltm by default will go to syslog server?
- cdougall_14195yep. That's correct. There's quite a bit that will get sent to the syslog server once you get that set up. Below are the docs for setting up the remote syslog, as well as how to filter it. Hope this helps. https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13080.html?sr=42612466 https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13333.html
- ghost-rider_124Can you please help me. I want to send only LTM and Audit Logs (admin activities) to remote syslog server. How I can filter the syslog setting. Appreciated your reply
- nitass_89166
Noctilucent
I want to send only LTM and Audit Logs (admin activities) to remote syslog server. How I can filter the syslog setting.
can you try something like this? it filters ltm (local0) and audit logs.
sol13333: Filtering log messages sent to remote syslog servers (11.x)
https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13333.htmlroot@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog include sys syslog { include " destination d_remote_loghost { udp(\"172.28.24.1\" port(514)); }; log { source(s_syslog_pipe); filter(f_local0); filter(f_no_audit); filter(f_no_msgbusd); filter(f_no_icrd); filter(f_no_urlfilter); filter(f_no_ipsec); destination(d_remote_loghost); }; log { source(s_syslog_pipe); filter(f_audit); destination(d_remote_loghost); }; " }- ghost-rider_124Hi Nitass Thanks for the reply. Could you please let me know what is f_local0 and so on. These are keywords?
- nitass_89166it is defined in /etc/syslog-ng/syslog-ng.conf
- nitass
Employee
I want to send only LTM and Audit Logs (admin activities) to remote syslog server. How I can filter the syslog setting.
can you try something like this? it filters ltm (local0) and audit logs.
sol13333: Filtering log messages sent to remote syslog servers (11.x)
https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13333.htmlroot@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog include sys syslog { include " destination d_remote_loghost { udp(\"172.28.24.1\" port(514)); }; log { source(s_syslog_pipe); filter(f_local0); filter(f_no_audit); filter(f_no_msgbusd); filter(f_no_icrd); filter(f_no_urlfilter); filter(f_no_ipsec); destination(d_remote_loghost); }; log { source(s_syslog_pipe); filter(f_audit); destination(d_remote_loghost); }; " }- ghost-rider_124Hi Nitass Thanks for the reply. Could you please let me know what is f_local0 and so on. These are keywords?
- nitassit is defined in /etc/syslog-ng/syslog-ng.conf
- boneyard
MVP
which version are you using, the log filter might also be able to do something for you, instead of playing with the syslog-ng config.
MR_RJJust configure (/Common)(tmos.sys) edit /sys syslog all-properties
Go to the line that says "include none" and replace that line with:
include " destination remote_server { udp(\"IP-OF-SYSLOG-SERVER\" port (514)); }; filter f_ltm { facility(local0) and level(emerg..info); }; log { source(local); filter(f_ltm); destination(remote_server); }; "
