Forum Discussion
uni
Altocumulus
AltocumulusSend syslog to host on non-zero route domain
How can I send syslog messages to an address on a route domain other than %0 ?
I have tried using a destination such as
destination d_host{
udp6("2620:0:c10:f501:0:1:ac1e:140f");
};
but no traffic seems to go out (should be to 172.30.20.15%1)
I'm using v 10.1 software, and add the syslog changes through "bigpipe syslog include" and restart syslog-ng after the changes.
I've tested to a custom file, and that works ok
6 Replies
hoolioCirrostratus
Hi Stephen,
If you've confirmed the conversion from 172.30.20.15%1 to 2620:0:c10:f501:0:1:ac1e:140f is correct and the syslog messages still aren't being sent by syslog-ng, I'd open a case with F5 Support on this.
Aaron
uniSolved. tcpdump showed the traffic was actually being sent, but on udp port 0. The solution was to add a port parameter to the destination:
destination d_host{
udp6("2620:0:c10:f501:0:1:ac1e:140f" port(514));
};- Stefan_Klotz
Cumulonimbus
Hi,
currently I have the same problem and I was happy to find this thread.
But I still have problems with restarting the syslog-ng deamon, because I get the following error message:
Starting syslog-ng: Error resolving hostname; host='136.131.236.15%2'
No destination address set;
[FAILED]
Below you can see the output of 'b syslog list all':
syslog {
authpriv from notice
authpriv to emerg
cron from warning
cron to emerg
daemon from notice
daemon to emerg
include "
destination remote_server {
udp6(\"2620:0000:0C10:F501:0000:0002:8883:EC0F\" port (514));
};
filter f_local0 {
facility(local0) and not match(\": Access from:\");
};
filter f_local0_accesslog {
facility(local0) and match(\": Access from:\");
};
log {
source(local);
filter(f_local0_accesslog);
destination(remote_server);
};
"
kern from notice
kern to emerg
mail from notice
mail to emerg
messages from notice
messages to warning
userlog from notice
userlog to emerg
remote server mlogsrv {
host 136.131.236.15%2
local ip none
remote port 514
}
}
What does it mean 'No destination address set'?
Please help, thank you!
Ciao Stefan :) - hoolioHi Stefan,
Is the host 136.131.236.15%2 part of your syslog include statement or the error?
Aaron - Stefan_KlotzIt seems to work now. I can at least see the outgoing message in the tcpdump. Waiting now for confirmation from the customer.
I removed the remote syslog server config ('b syslog remote server none') and then I could successfully restart the syslog-ng deamon.
But I'm still wondering, because I thought I tried exactly this configuration before and it was not working.
My syslog config is now:
syslog {
authpriv from notice
authpriv to emerg
cron from warning
cron to emerg
daemon from notice
daemon to emerg
include "
destination remote_server {
udp6(\"2620:0000:0C10:F501:0000:0002:8883:EC0F\" port (514));
};
filter f_local0 {
facility(local0) and not match(\": Access from:\");
};
filter f_local0_accesslog {
facility(local0) and match(\": Access from:\");
};
log {
source(local);
filter(f_local0_accesslog);
destination(remote_server);
};
"
kern from notice
kern to emerg
mail from notice
mail to emerg
messages from notice
messages to warning
userlog from notice
userlog to emerg
remote server none
}
Ciao Stefan :) - Stefan_KlotzCustomer also confirms, that messages arrived at their syslog server.
But in the meanwhile I found an alternative solution. Remote logging can also be defined directly in the iRule, this has the advantage that it is more safe during software updates and it's not that complicate to configure the required filters within syslog-ng.conf.
Please have a look at the iRule Wiki page:
http://devcentral.f5.com/wiki/default.aspx/iRules/log.html
We are using it with Route Domains, but without partitions. Therefor we have to specify the normal IPv4 address including the %RD, e.g. :
log 136.131.236.15%2:514 daemon. "[IP::remote_addr] -> [HTTP::host][HTTP::uri]"
I'm not sure if you can leave the %RD if you are working with partitions.
Ciao Stefan :)
