Forum Discussion

ghost-rider_124's avatar
ghost-rider_124
Icon for Nimbostratus rankNimbostratus
Dec 22, 2014

LTM logs to external syslog (Splunk)

Hello Experts   I want to send LTM logs to syslog server. When I configure syslog server then by default what logs of LTM will be send to syslog? I want below, should I need to write an IRULE for ...
application delivery
deployment
LTM
nitass's avatar
nitass
Icon for Employee rankEmployee
Dec 24, 2014

I want to send only LTM and Audit Logs (admin activities) to remote syslog server. How I can filter the syslog setting.

can you try something like this? it filters ltm (local0) and audit logs.

sol13333: Filtering log messages sent to remote syslog servers (11.x)

https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13333.html 
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog include
sys syslog {
    include "
destination d_remote_loghost {
  udp(\"172.28.24.1\" port(514));
};
log {
  source(s_syslog_pipe);
  filter(f_local0);
  filter(f_no_audit);
  filter(f_no_msgbusd);
  filter(f_no_icrd);
  filter(f_no_urlfilter);
  filter(f_no_ipsec);
  destination(d_remote_loghost);
};
log {
  source(s_syslog_pipe);
  filter(f_audit);
  destination(d_remote_loghost);
};
"
}
  • ghost-rider_124's avatar
    ghost-rider_124
    Icon for Nimbostratus rankNimbostratus
    Dec 24, 2014
    Hi Nitass Thanks for the reply. Could you please let me know what is f_local0 and so on. These are keywords?
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 24, 2014
    it is defined in /etc/syslog-ng/syslog-ng.conf