Forum Discussion

Nimbostratus

Jan 16, 2013

Qradar setup issue

We are setting up sending our F5 info to Qradar but local/ is being placed in front of the hostname of teh BIGIP. We have gone thru the following steps mount -o remount,rw /usr <...

management

monitoring

nitass

Employee

Jan 17, 2013

e.g.

 by default

[root@ve10:Active] config  b syslog include
SYSLOG - Include Data: none

[root@ve10:Active] config  b pool foo monitor all none
[root@ve10:Active] config  b pool foo monitor all tcp

[root@ve10:Active] config  cat /var/log/ltm
Jan 18 06:20:44 local/ve10 notice mcpd[3776]: 01070638:5: Pool member 200.200.200.101:80 monitor status unchecked.
Jan 18 06:20:51 local/ve10 notice mcpd[3776]: 01070727:5: Pool member 200.200.200.101:80 monitor status up.

 customization

[root@ve10:Active] config  b syslog include '"
>  local0.*                                      /var/log/ltm
> filter f_local0 {
>    facility(local0);
> };
> filter f_no_audit {
>    not match(\"AUDIT\");
> };
> destination d_ltm {
> };
> log {
>    source(s_syslog_pipe);
>    filter(f_local0);
>    filter(f_no_audit);
>    destination(d_ltm);
> };
>
> template t_customtmpl {
>    template(\"$DATE $HOST $PRIORITY $MSG\n\");
>    template_escape(no);
> };
> destination d_customltm {
>    file(\"/var/log/ltm\" create_dirs(yes) template(t_customtmpl));
> };
> log {
>    source(local);
>    filter(f_local0);
>    filter(f_no_audit);
>    destination(d_customltm);
> };
> "'

[root@ve10:Active] config  b pool foo monitor all none
[root@ve10:Active] config  b pool foo monitor all tcp

[root@ve10:Active] config  cat /var/log/ltm
Jan 18 06:22:30 ve10 notice mcpd[3776]: 01070638:5: Pool member 200.200.200.101:80 monitor status unchecked.
Jan 18 06:22:35 ve10 notice mcpd[3776]: 01070727:5: Pool member 200.200.200.101:80 monitor status up.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)