For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Simon_83666's avatar
Simon_83666
Icon for Nimbostratus rankNimbostratus
Aug 11, 2008

Separate log files per virtual/pool/node

someone might have raised this before but I haven't been able to find a definite answer.

 

 

We're using Bigip LTM V9.3.1 to replace some of our reverse proxy / apache servers, and by default LTM logs everything to /var/log/ltm when using local0 facility. Is there a way, to create separate log files per virtual server or even per pool/node ?

 

 

This can be easily done in apache but I just haven't seen any document on how to do this on Big-IP.

 

 

any help is appreciated.

 

 

Simon

 

 

 

 

application delivery
dev
devops
iRules

3 Replies

  • Nicolas_Menant's avatar
    Nicolas_Menant
    Icon for Employee rankEmployee
    Aug 11, 2008
    Hi,

     

     

    You can do it with the match filter within syslog-ng.

     

     

    You'll need to update the syslog-ng configuration to make rules with one match filter per vs or node or pool you want to log separately.

     

     

    example: filter f_vs_web { match(".*vs_web.*"); };

     

     

    then you create your log line to activate the logging with this filter.

     

     

    You can have a look here for syslog-ng: Click here

     

     

     

     

  • Simon_83666's avatar
    Simon_83666
    Icon for Nimbostratus rankNimbostratus
    Aug 13, 2008
    Hi,

     

     

    Thanks for the feedback. Do you have a more detailed example ? I'm kinda new to both Big-IP & syslog.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 13, 2008
    There are some syslog-ng examples as well as links to the syslog-ng manual in this Codeshare example:

    http://devcentral.f5.com/wiki/default.aspx/iRules/LogHttpTcpUdpToSyslogng.html

    Based on this document (Click here starting with A single log message can be sent to different log files several times.), something like this should work (though I didn't test it): 

     
  
  local0. Filters 
  
  local0.*                                      /var/log/ltm 
 filter f_local0 { 
    facility(local0) and level(info..emerg); 
 }; 
  
  Filter for local0 VIP1 messages 
 filter f_local0_vip1 { 
    facility(local0) and level(info..emerg) and match("vip1"); 
 }; 
  Filter for local0 VIP2 messages 
 filter f_local0_vip2 { 
    facility(local0) and level(info..emerg) and match("vip2"); 
 }; 
  Filter for local0 VIP3 messages 
 filter f_local0_vip3 { 
    facility(local0) and level(info..emerg) and match("vip3"); 
 }; 
  
  
  local0. Destinations 
  
  Default LTM log file 
 destination d_ltm { 
    file("/var/log/ltm" create_dirs(yes)); 
 }; 
  LTM log file for VIP1 
 destination d_vip1 { 
    file("/var/log/ltm_vip1" create_dirs(yes)); 
 }; 
  LTM log file for VIP2 
 destination d_vip2 { 
    file("/var/log/ltm_vip2" create_dirs(yes)); 
 }; 
  LTM log file for VIP3 
 destination d_vip3 { 
    file("/var/log/ltm_vip3" create_dirs(yes)); 
 }; 
  
  
  local0. Log statements 
  
  Default LTM log statement 
 log { 
    source(local); 
    filter(f_local0); 
    destination(d_ltm); 
 }; 
  VIP1 log statement 
 log { 
    source(local); 
    filter(f_local0_vip1); 
    destination(d_vip1); 
 }; 
  VIP2 log statement 
 log { 
    source(local); 
    filter(f_local0_vip2); 
    destination(d_vip2); 
 }; 
  VIP3 log statement 
 log { 
    source(local); 
    filter(f_local0_vip3); 
    destination(d_vip3); 
 };

    This assumes that the strings, vip1, vip2 and vip3 are included in each log statement for the related VIPs. You'd need to tailor the filter statements match ("vip") to your environment.

    Aaron