Forum Discussion
syslog filtering
8 Replies
- Skye_87422
Nimbostratus
We have tried the syslog include statements from many articles and yet the informational, debug, and notice events are still forwarding. It seems this should be a basic functionality of the LTM so any assistance would be appreciated. Here is the current syslog that has been modified to try to stop any ssl_acc and ssl_req messages which are a large part of the information events we see: - nitass
Employee
we are trying to modify our syslog to get just warning and emergency level notifications, but all of the filters we have tried are not working.have you tried syslog include in this sol?- DenisGrimard_34Historic F5 AccountAlternatively you could do it all form the command line and not go into vi using: The next is all on one line tmsh modify /sys syslog include "filter f_remote_loghost {level(info..emerg);};filter f_ssl_acc_req {not (facility(local6) and level(info) and match('[ssl_acc\\]')) or not (facility(local6) and level(info) and match('[ssl_req\\]'));};destination d_remote_loghost {udp(\"192.168.2.102\" port(514));};log {source(s_syslog_pipe);filter(f_remote_loghost);filter(f_ssl_acc_req);destination(d_remote_loghost);};" And then tmsh save /sys config
- willy_01_152938
Nimbostratus
If you implement the solution given before you remote syslog filter wouldn't work properly. Solution above: tmsh modify /sys syslog include "filter f_remote_loghost {level(info..emerg);};filter f_ssl_acc_req {not (facility(local6) and level(info) and match('[ssl_acc\\]')) or not (facility(local6) and level(info) and match('[ssl_req\\]'));};destination d_remote_loghost {udp(\"192.168.2.102\" port(514));};log {source(s_syslog_pipe);filter(f_remote_loghost);filter(f_ssl_acc_req);destination(d_remote_loghost);};" All the syslog traps of local6 are filtered but not correctley, because: The 'or' command should be replaced with the 'and' command. You have also to remove the brackets '[' and '\\]' otherwhise the filter matched not they keywords but some characters how are involved at he keywords 'ssl_req' or 'ssl_acc' . We have implemented the following solution below and this works fine: include " filter f_dlog {level(info..emerg);}; filter f_ssl { not (facility(local6) and level(info) and match('ssl_acc')) and not(facility(local6) and level(info) and match('ssl_req')); }; destination drem_host { udp('xxx.xxx.xxx.xxx' port(514)); }; log { source(s_syslog_pipe); filter(f_dlog); filter(f_ssl); destination(drem_host); }; "
- nitass_89166
Noctilucent
we are trying to modify our syslog to get just warning and emergency level notifications, but all of the filters we have tried are not working.have you tried syslog include in this sol?- DenisGrimard_34Historic F5 AccountAlternatively you could do it all form the command line and not go into vi using: The next is all on one line tmsh modify /sys syslog include "filter f_remote_loghost {level(info..emerg);};filter f_ssl_acc_req {not (facility(local6) and level(info) and match('[ssl_acc\\]')) or not (facility(local6) and level(info) and match('[ssl_req\\]'));};destination d_remote_loghost {udp(\"192.168.2.102\" port(514));};log {source(s_syslog_pipe);filter(f_remote_loghost);filter(f_ssl_acc_req);destination(d_remote_loghost);};" And then tmsh save /sys config
- willy_01_152938
Nimbostratus
If you implement the solution given before you remote syslog filter wouldn't work properly. Solution above: tmsh modify /sys syslog include "filter f_remote_loghost {level(info..emerg);};filter f_ssl_acc_req {not (facility(local6) and level(info) and match('[ssl_acc\\]')) or not (facility(local6) and level(info) and match('[ssl_req\\]'));};destination d_remote_loghost {udp(\"192.168.2.102\" port(514));};log {source(s_syslog_pipe);filter(f_remote_loghost);filter(f_ssl_acc_req);destination(d_remote_loghost);};" All the syslog traps of local6 are filtered but not correctley, because: The 'or' command should be replaced with the 'and' command. You have also to remove the brackets '[' and '\\]' otherwhise the filter matched not they keywords but some characters how are involved at he keywords 'ssl_req' or 'ssl_acc' . We have implemented the following solution below and this works fine: include " filter f_dlog {level(info..emerg);}; filter f_ssl { not (facility(local6) and level(info) and match('ssl_acc')) and not(facility(local6) and level(info) and match('ssl_req')); }; destination drem_host { udp('xxx.xxx.xxx.xxx' port(514)); }; log { source(s_syslog_pipe); filter(f_dlog); filter(f_ssl); destination(drem_host); }; "
- DenisGrimard_34Historic F5 Account
In case anyone else had issues, I used this to suppress ssl_rec and ssl_acc and hopefully still getting the rest from info to emerg.
modify syslog {
auth-priv-from warning auth-priv-to emerg console-log enabled cron-from warning cron-to emerg daemon-from notice daemon-to emerg description none include " filter f_remote_loghost { level(info..emerg); }; filter f_ssl_acc_req { not (facility(local6) and level(info) and match('[ssl_acc\\]')) or not (facility(local6) and level(info) and match('[ssl_req\\]')); }; destination d_remote_loghost { udp(\"192.168.2.102\" port(514)); }; log { source(s_syslog_pipe); filter(f_remote_loghost); filter(f_ssl_acc_req); destination(d_remote_loghost); }; " iso-date disabled kern-from notice kern-to emerg local6-from notice local6-to emerg mail-from notice mail-to emerg messages-from notice messages-to warning remote-servers none user-log-from notice user-log-to emerg
}
Here is my syslog after
<85>Jan 31 14:51:06 f5 notice httpd[9697]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 13:02:13 2014" end="Fri Jan 31 14192.168.2.331/01 14:51:06.764
<133>Jan 31 14:51:06 f5 notice httpd[9697]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 13:02:13 2014" end="Fri Jan 31 1192.168.2.331/01 14:51:06.767
<85>Jan 31 14:51:12 f5 notice httpd[16433]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 14:51:12 2014". 192.168.2.331/01 14:51:12.124 <133>Jan 31 14:51:12 f5 notice httpd[16433]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 14:51:12 2014". 192.168.2.331/01 14:51:12.126
<133>Jan 31 14:51:58 f5 notice tmsh[8254]: 01420002:5: AUDIT - pid=8254 user=root folder=/Common module=(tmos) status=[edit canceled] cmd_data=edit /sys syslog all-properties 192.168.2.331/01 14:51:58.087
<78>Jan 31 14:52:01 f5 info crond[18300]: (syscheck) CMD (/usr/bin/system_check -q) 192.168.2.331/01 14:52:01.351
<133>Jan 31 14:52:02 f5 notice tmsh[8254]: 01420002:5: AUDIT - pid=8254 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=save /sys config 192.168.2.331/01 14:52:02.313
<133>Jan 31 14:52:27 f5 notice tmsh[8254]: 01420002:5: AUDIT - pid=8254 user=root folder=/Common module=(tmos) status=[edit canceled] cmd_data=edit /sys syslog all-properties 192.168.2.331/01 14:52:27.314
<78>Jan 31 14:54:01 f5 info crond[18547]: (syscheck) CMD (/usr/bin/system_check -q) 192.168.2.331/01 14:54:01.413
<78>Jan 31 14:55:01 f5 info crond[18665]: (root) CMD (/usr/lib/sa/sa1) 192.168.2.331/01 14:55:01.446
<78>Jan 31 14:56:01 f5 info crond[18779]: (syscheck) CMD (/usr/bin/system_check -q) 192.168.2.331/01 14:56:01.486
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com