For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Shane_Terrick_9's avatar
Shane_Terrick_9
Icon for Nimbostratus rankNimbostratus
Jan 16, 2013

Qradar setup issue

We are setting up sending our F5 info to Qradar but local/ is being placed in front of the hostname of teh BIGIP.

 

 

We have gone thru the following steps

 

mount -o remount,rw /usr <------ makes /usr writable

 

cd /usr/share/defaults/config/templates

 

vi syslog.tmpl <------ edit the template (perl script)

 

then modified the following variable to null

 

(before) my $hostslot = "local/";

 

(after) my $hostslot = "";

 

 

 

Then when tailing the /var/log/ltm file we still see the /local infron t of the hostname

 

Jan 16 07:26:38 local/ltm4mgt alert mcpd[3511]: 01070921:1: Virtual Server 'H1PRD_KEY_DR' on partition 'Common' disabled by user 'shane'.

 

 

BUT we have found that after a reboot the local above will go away. Is there a way to get this change to take place without a reboot.

 

 

Thanks

 

management
monitoring

4 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 17, 2013
    You could try a custom syslog include statement instead of modifying the templ file. It should be more supportable as the config will be included in the upgrade if you use ‘tmsh modify sys syslog include…’.\

     

     

    https://devcentral.f5.com/community/group/asg/44/aft/1174103/showtab/groupforums

     

     

    Aaron
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 17, 2013
    e.g. 

     by default

[root@ve10:Active] config  b syslog include
SYSLOG - Include Data: none

[root@ve10:Active] config  b pool foo monitor all none
[root@ve10:Active] config  b pool foo monitor all tcp

[root@ve10:Active] config  cat /var/log/ltm
Jan 18 06:20:44 local/ve10 notice mcpd[3776]: 01070638:5: Pool member 200.200.200.101:80 monitor status unchecked.
Jan 18 06:20:51 local/ve10 notice mcpd[3776]: 01070727:5: Pool member 200.200.200.101:80 monitor status up.

 customization

[root@ve10:Active] config  b syslog include '"
>  local0.*                                      /var/log/ltm
> filter f_local0 {
>    facility(local0);
> };
> filter f_no_audit {
>    not match(\"AUDIT\");
> };
> destination d_ltm {
> };
> log {
>    source(s_syslog_pipe);
>    filter(f_local0);
>    filter(f_no_audit);
>    destination(d_ltm);
> };
>
> template t_customtmpl {
>    template(\"$DATE $HOST $PRIORITY $MSG\n\");
>    template_escape(no);
> };
> destination d_customltm {
>    file(\"/var/log/ltm\" create_dirs(yes) template(t_customtmpl));
> };
> log {
>    source(local);
>    filter(f_local0);
>    filter(f_no_audit);
>    destination(d_customltm);
> };
> "'

[root@ve10:Active] config  b pool foo monitor all none
[root@ve10:Active] config  b pool foo monitor all tcp

[root@ve10:Active] config  cat /var/log/ltm
Jan 18 06:22:30 ve10 notice mcpd[3776]: 01070638:5: Pool member 200.200.200.101:80 monitor status unchecked.
Jan 18 06:22:35 ve10 notice mcpd[3776]: 01070727:5: Pool member 200.200.200.101:80 monitor status up.
  • pulse's avatar
    pulse
    Icon for Nimbostratus rankNimbostratus
    Mar 25, 2013
    To the original post, I am also curious about this. Editing the syslog.tmpl and then rebooting works, but just restarting syslog-ng does not, even though that is what the QRadar/F5 instructions say. How can you get syslog to recognize this without rebooting?
  • RHendle_110546's avatar
    RHendle_110546
    Icon for Nimbostratus rankNimbostratus
    Nov 19, 2015

    Any idea how to make the same change to display hostname in the syslog configuration for facilities using tmsh??