Forum Discussion
Nimbostratussyslog filtering
8 Replies
Skye_87422We have tried the syslog include statements from many articles and yet the informational, debug, and notice events are still forwarding. It seems this should be a basic functionality of the LTM so any assistance would be appreciated. Here is the current syslog that has been modified to try to stop any ssl_acc and ssl_req messages which are a large part of the information events we see:
modify syslog {
auth-priv-from warning
auth-priv-to emerg
cron-from warning
cron-to emerg
daemon-from warning
daemon-to emerg
description none
include "
filter f_remote_loghost {
level(warn..emerg);
};
filter f_local6_httpd_ssl_acc {
facility(local6)
and match(\"\\[ssl_acc\\]\") and not match(\"\\] 172.30.x.x\"); };
filter f_local6_httpd_ssl_req {
facility(local6)
and match(\"\\[ssl_req\\]\") and not match(\"\\] 172.30.x.x\"); };
destination d_remote_loghost {
udp(\"172.30.y.y\" port(514));
};
log {
source(s_syslog_pipe);
filter(f_remote_loghost);
filter(f_local6_httpd_ssl_acc);
filter(f_local6_httpd_ssl_req);
destination(d_remote_loghost);
};
"
iso-date disabled
kern-from warning
kern-to emerg
mail-from warning
mail-to emerg
messages-from warning
messages-to warning
remote-servers replace-all-with {
remotesyslog1 {
description none
host 172.30.y.y
local-ip none
remote-port 514
}
}
user-log-from warning
user-log-to emerg- nitass
Employee
we are trying to modify our syslog to get just warning and emergency level notifications, but all of the filters we have tried are not working.have you tried syslog include in this sol?
sol11723: Filtering log messages sent to remote syslog servers (9.4.x - 10.x)
http://support.f5.com/kb/en-us/solutions/public/11000/700/sol11723.html
We have tried the syslog include statements from many articles and yet the informational, debug, and notice events are still forwarding. It seems this should be a basic functionality of the LTM so any assistance would be appreciated.your syslog include command is correct but the wrong is remotesyslog1. since you use syslog include, you do not need to have remotesyslog1. remove it and it will work. :-)- Alternatively you could do it all form the command line and not go into vi using: The next is all on one line tmsh modify /sys syslog include "filter f_remote_loghost {level(info..emerg);};filter f_ssl_acc_req {not (facility(local6) and level(info) and match('[ssl_acc\\]')) or not (facility(local6) and level(info) and match('[ssl_req\\]'));};destination d_remote_loghost {udp(\"192.168.2.102\" port(514));};log {source(s_syslog_pipe);filter(f_remote_loghost);filter(f_ssl_acc_req);destination(d_remote_loghost);};" And then tmsh save /sys config
willy_01_152938If you implement the solution given before you remote syslog filter wouldn't work properly. Solution above: tmsh modify /sys syslog include "filter f_remote_loghost {level(info..emerg);};filter f_ssl_acc_req {not (facility(local6) and level(info) and match('[ssl_acc\\]')) or not (facility(local6) and level(info) and match('[ssl_req\\]'));};destination d_remote_loghost {udp(\"192.168.2.102\" port(514));};log {source(s_syslog_pipe);filter(f_remote_loghost);filter(f_ssl_acc_req);destination(d_remote_loghost);};" All the syslog traps of local6 are filtered but not correctley, because: The 'or' command should be replaced with the 'and' command. You have also to remove the brackets '[' and '\\]' otherwhise the filter matched not they keywords but some characters how are involved at he keywords 'ssl_req' or 'ssl_acc' . We have implemented the following solution below and this works fine: include " filter f_dlog {level(info..emerg);}; filter f_ssl { not (facility(local6) and level(info) and match('ssl_acc')) and not(facility(local6) and level(info) and match('ssl_req')); }; destination drem_host { udp('xxx.xxx.xxx.xxx' port(514)); }; log { source(s_syslog_pipe); filter(f_dlog); filter(f_ssl); destination(drem_host); }; "
nitass_89166Noctilucent
we are trying to modify our syslog to get just warning and emergency level notifications, but all of the filters we have tried are not working.have you tried syslog include in this sol?
sol11723: Filtering log messages sent to remote syslog servers (9.4.x - 10.x)
http://support.f5.com/kb/en-us/solutions/public/11000/700/sol11723.html
We have tried the syslog include statements from many articles and yet the informational, debug, and notice events are still forwarding. It seems this should be a basic functionality of the LTM so any assistance would be appreciated.your syslog include command is correct but the wrong is remotesyslog1. since you use syslog include, you do not need to have remotesyslog1. remove it and it will work. :-)- Alternatively you could do it all form the command line and not go into vi using: The next is all on one line tmsh modify /sys syslog include "filter f_remote_loghost {level(info..emerg);};filter f_ssl_acc_req {not (facility(local6) and level(info) and match('[ssl_acc\\]')) or not (facility(local6) and level(info) and match('[ssl_req\\]'));};destination d_remote_loghost {udp(\"192.168.2.102\" port(514));};log {source(s_syslog_pipe);filter(f_remote_loghost);filter(f_ssl_acc_req);destination(d_remote_loghost);};" And then tmsh save /sys config
- willy_01_152938If you implement the solution given before you remote syslog filter wouldn't work properly. Solution above: tmsh modify /sys syslog include "filter f_remote_loghost {level(info..emerg);};filter f_ssl_acc_req {not (facility(local6) and level(info) and match('[ssl_acc\\]')) or not (facility(local6) and level(info) and match('[ssl_req\\]'));};destination d_remote_loghost {udp(\"192.168.2.102\" port(514));};log {source(s_syslog_pipe);filter(f_remote_loghost);filter(f_ssl_acc_req);destination(d_remote_loghost);};" All the syslog traps of local6 are filtered but not correctley, because: The 'or' command should be replaced with the 'and' command. You have also to remove the brackets '[' and '\\]' otherwhise the filter matched not they keywords but some characters how are involved at he keywords 'ssl_req' or 'ssl_acc' . We have implemented the following solution below and this works fine: include " filter f_dlog {level(info..emerg);}; filter f_ssl { not (facility(local6) and level(info) and match('ssl_acc')) and not(facility(local6) and level(info) and match('ssl_req')); }; destination drem_host { udp('xxx.xxx.xxx.xxx' port(514)); }; log { source(s_syslog_pipe); filter(f_dlog); filter(f_ssl); destination(drem_host); }; "
In case anyone else had issues, I used this to suppress ssl_rec and ssl_acc and hopefully still getting the rest from info to emerg.
modify syslog {
auth-priv-from warning auth-priv-to emerg console-log enabled cron-from warning cron-to emerg daemon-from notice daemon-to emerg description none include " filter f_remote_loghost { level(info..emerg); }; filter f_ssl_acc_req { not (facility(local6) and level(info) and match('[ssl_acc\\]')) or not (facility(local6) and level(info) and match('[ssl_req\\]')); }; destination d_remote_loghost { udp(\"192.168.2.102\" port(514)); }; log { source(s_syslog_pipe); filter(f_remote_loghost); filter(f_ssl_acc_req); destination(d_remote_loghost); }; " iso-date disabled kern-from notice kern-to emerg local6-from notice local6-to emerg mail-from notice mail-to emerg messages-from notice messages-to warning remote-servers none user-log-from notice user-log-to emerg}
Here is my syslog after
<85>Jan 31 14:51:06 f5 notice httpd[9697]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 13:02:13 2014" end="Fri Jan 31 14192.168.2.331/01 14:51:06.764
<133>Jan 31 14:51:06 f5 notice httpd[9697]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 13:02:13 2014" end="Fri Jan 31 1192.168.2.331/01 14:51:06.767
<85>Jan 31 14:51:12 f5 notice httpd[16433]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 14:51:12 2014". 192.168.2.331/01 14:51:12.124 <133>Jan 31 14:51:12 f5 notice httpd[16433]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 14:51:12 2014". 192.168.2.331/01 14:51:12.126
<133>Jan 31 14:51:58 f5 notice tmsh[8254]: 01420002:5: AUDIT - pid=8254 user=root folder=/Common module=(tmos) status=[edit canceled] cmd_data=edit /sys syslog all-properties 192.168.2.331/01 14:51:58.087
<78>Jan 31 14:52:01 f5 info crond[18300]: (syscheck) CMD (/usr/bin/system_check -q) 192.168.2.331/01 14:52:01.351
<133>Jan 31 14:52:02 f5 notice tmsh[8254]: 01420002:5: AUDIT - pid=8254 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=save /sys config 192.168.2.331/01 14:52:02.313
<133>Jan 31 14:52:27 f5 notice tmsh[8254]: 01420002:5: AUDIT - pid=8254 user=root folder=/Common module=(tmos) status=[edit canceled] cmd_data=edit /sys syslog all-properties 192.168.2.331/01 14:52:27.314
<78>Jan 31 14:54:01 f5 info crond[18547]: (syscheck) CMD (/usr/bin/system_check -q) 192.168.2.331/01 14:54:01.413
<78>Jan 31 14:55:01 f5 info crond[18665]: (root) CMD (/usr/lib/sa/sa1) 192.168.2.331/01 14:55:01.446
<78>Jan 31 14:56:01 f5 info crond[18779]: (syscheck) CMD (/usr/bin/system_check -q) 192.168.2.331/01 14:56:01.486
