For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

swjo_264656's avatar
swjo_264656
Icon for Cirrostratus rankCirrostratus
Dec 02, 2016

syslog filter to 2 remote server

Hi

 

I will be very grateful to you if anyone advice configure.

 

I`m going to send syslog to two syslog server.

 

modify sys syslog { include "filter f_ltm {facility(local0) and level(debug..emerg);};destination d_logsvr {udp(\"192.168.0.29\" port(514));}; destination d_logsvr2 {udp(\"192.168.0.30\" port(514));}; log {source(local);filter(f_ltm);destination(d_logsvr);}; log {source(local);filter(f_ltm);destination(d_logsvr2);};" }

I tested this config and it works well.

 

I have to insert this filter

filter f_no_log {

 

not match(\"Clock has unexpectedly adjusted by\")

 

and not match(\"Tmstat::updateSensorTbls: HAL SenSvc error: BourneSeepromDev\") and not match(\"http_process_state_prepend\") and not match(\"Tcpdump\");

 

}; so I configed like this

typing tmsh and input this

 

modify sys syslog { include "filter f_ltm {facility(local0) and level(debug..emerg) and not match(\"Clock has unexpectedly adjusted by\") and and not match(\"Tmstat::updateSensorTbls: HAL SenSvc error: BourneSeepromDev\") and and not match(\"http_process_state_prepend\") and and not match(\"Tcpdump\");};destination d_logsvr {udp(\"192.168.0.29\" port(514));}; destination d_logsvr2 {udp(\"192.168.0.30\" port(514));}; log {source(local);filter(f_ltm);destination(d_logsvr);}; log {source(local);filter(f_ltm);destination(d_logsvr2);};" }

but it doesn`t work well.

 

How can I modify this config?

 

thank you.

 

application delivery
BIG-IP
LTM

8 Replies

  • swjo_264656's avatar
    swjo_264656
    Icon for Cirrostratus rankCirrostratus
    Dec 02, 2016

    sorry I`m not sure modified config work or not.

     

    it there anything wrong?

     

  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Dec 02, 2016

    Hi,

    When I have complex text, I'd prefer to use "edit" instead of "modify" when its possible, so, maybe it would useful to you.

    Run 

    edit sys syslog
    then replace content:

    modify syslog {
    include "
    filter f_ltm {
        facility(local0)
        and level(debug..emerg)
        and not match(\"Clock has unexpectedly adjusted by\")
        and not match(\"Tmstat::updateSensorTbls: HAL SenSvc error: BourneSeepromDev\")
        and not match(\"http_process_state_prepend\") and not match(\"Tcpdump\");
    };
    destination d_logsvr {
        udp(\"192.168.0.29\" port(514));
    };
    destination d_logsvr2 {
        udp(\"192.168.0.30\" port(514));
    };
    log {
        source(local);
        filter(f_ltm);
        destination(d_logsvr);
    };
    log {
        source(local);
        filter(f_ltm);
        destination(d_logsvr2);
    };"
}

    I've not tested, but it should work.

    Regards.
  • brunocalcado_31's avatar
    brunocalcado_31
    Icon for Nimbostratus rankNimbostratus
    Oct 14, 2018

    Hi everyone,

     

    I'm trying to understanding the configuration of syslog include. I found this article : https://support.f5.com/csp/article/K13333.

     

    Here we go, for the bigip would I have the same behavior with or without the escapes '\"' surrounding the server IP? Ex.:

     

    destination d_remote_loghost {

     

    tcp(\"10.11.16.253\" port(1468));

     

    udp(\"10.11.16.252\" port(514)); };

     

    And this :

     

    destination d_remote_loghost {

     

    tcp('10.11.16.253' port(1468));

     

    udp('10.11.16.252' port(514)); };

     

    Could you clarify this please? Thanks a lot. Best regards.

     

    • rob_carr's avatar
      rob_carr
      Icon for Cirrocumulus rankCirrocumulus
      Oct 14, 2018

      Is there some reason you can't use the escaped double-quotes (\") syntax?

       

    • brunocalcado_31's avatar
      brunocalcado_31
      Icon for Nimbostratus rankNimbostratus
      Oct 15, 2018

      Yes. Actually, I'm using Ansible to configure this part and the escapes are not considered. So, I'm wondering I could have the same behavior with and without theses escapes. I don't know how to test both results, so I cannot compare them. What do you think ?

       

      Best regards. BC.

       

  • brunocalcado's avatar
    brunocalcado
    Icon for Nimbostratus rankNimbostratus
    Oct 14, 2018

    Hi everyone,

     

    I'm trying to understanding the configuration of syslog include. I found this article : https://support.f5.com/csp/article/K13333.

     

    Here we go, for the bigip would I have the same behavior with or without the escapes '\"' surrounding the server IP? Ex.:

     

    destination d_remote_loghost {

     

    tcp(\"10.11.16.253\" port(1468));

     

    udp(\"10.11.16.252\" port(514)); };

     

    And this :

     

    destination d_remote_loghost {

     

    tcp('10.11.16.253' port(1468));

     

    udp('10.11.16.252' port(514)); };

     

    Could you clarify this please? Thanks a lot. Best regards.

     

    • rob_carr's avatar
      rob_carr
      Icon for Cirrocumulus rankCirrocumulus
      Oct 14, 2018

      Is there some reason you can't use the escaped double-quotes (\") syntax?

       

    • brunocalcado's avatar
      brunocalcado
      Icon for Nimbostratus rankNimbostratus
      Oct 15, 2018

      Yes. Actually, I'm using Ansible to configure this part and the escapes are not considered. So, I'm wondering I could have the same behavior with and without theses escapes. I don't know how to test both results, so I cannot compare them. What do you think ?

       

      Best regards. BC.