Syslog Filter Configuration for Separating Audit and LTM logs.

Question

Hello Community,&nbsp;I am currently configuring a remote syslog and i have two syslog servers:One server should receive only Audit logs.The second server should receive all other logs (ltm), excluding audit logs.I have drafted a syslog filters configuration to achieve this and would appreciate a second review to validate the approach and assist with any recommended adjustment.&nbsp;Thank you!&nbsp;filter f_syslog_audit{match(AUDIT);};filter f_syslog_ltm {not match(AUDIT) andfacility(local0);};destination d_syslog_server {udp(\"5.6.7.8\" port(514));};destination d_syslog_ltm {udp(\"1.2.3.4\" port(514));};log {source(s_syslog_pipe);filter(f_syslog_audit);destination(d_syslog_server);};log {source(s_syslog_pipe);filter(f_syslog_ltm);destination(d_syslog_ltm);};

jeff_granieri · Answer

Hi Sarah​ ,
&nbsp;
This should work: &nbsp;
filter f_syslog_audit { match("AUDIT"); };
filter f_syslog_ltm { not match("AUDIT") and facility(local0); };
destination d_syslog_server { udp("5.6.7.8" port(514)); };
destination d_syslog_ltm { udp("1.2.3.4" port(514)); };
log { source(s_syslog_pipe); filter(f_syslog_audit); destination(d_syslog_server); };
log { source(s_syslog_pipe); filter(f_syslog_ltm); destination(d_syslog_ltm); };

sarah · Answer

Hello Jeff,&nbsp;Thank you for your response.If i want to forward all log sources except the audit logs, would the below filter work?&nbsp;filter f_syslog_all { not match("AUDIT") };
destination d_syslog_all { udp("1.2.3.4" port(514)); };
log { source(s_syslog_pipe); filter(f_syslog_all); destination(d_syslog_all); };&nbsp;&nbsp;

jeff_granieri · Answer

this may be more inline on what you want to do&nbsp;
filter f_syslog_all_except_audit {
    not facility(local0);
};

destination d_syslog_all {
    udp("1.2.3.4" port(514));
};

log {
    source(s_syslog_pipe);
    filter(f_syslog_all_except_audit);
    destination(d_syslog_all);
};
&nbsp;

sarah · Answer

Thank you Jeff!Isn't the facility local0 statement include LTM log files?My intention is to forward all logs file (ltm, gtm, messages, ... etc) to the syslog server, while excluding any AUDIT logs.&nbsp;&nbsp;

jeff_granieri · Answer

HI Sarah​ ,
&nbsp;
Yes your right local0 includes everything other than a few procs mentioned below.&nbsp; have you tested this out in a lower environment
FacilityDescriptionDefault log filelocal0All BIG-IP-specific messages other than&nbsp;bigd,&nbsp;sod, and&nbsp;proxyd&nbsp;messages./var/log/bigip
filter f_syslog_all_except_audit {
    not (facility(local0) and match("AUDIT"));
};

destination d_syslog_all {
    udp("1.2.3.4" port(514));
};

log {
    source(s_syslog_pipe);
    filter(f_syslog_all_except_audit);
    destination(d_syslog_all);
};
&nbsp;

Forum Discussion

Syslog Filter Configuration for Separating Audit and LTM logs.

5 Replies

Win Big in Vegas: The iRules Contest is back with $5k on the line at AppWorld 2026

Jürgen - February 2026 Featured Member

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Random TCP Resets from F5

Base64 decoding issue (JSON request)

F5 i-series Guests to r-series tenants migration

Block specific URL's in APM

Sizing calculation storage

Related Content

LTM 9.4.2+: Custom Syslog Configuration

Syslog NG Email Configuration

Load Balancing TCP TLS Encrypted Syslog Messages

Configuring syslog-ng to email messages

Syslog virtual server

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS

Facility	Description	Default log file
local0	All BIG-IP-specific messages other than bigd, sod, and proxyd messages.	/var/log/bigip