syslog filtering

Historic F5 Account

Jan 31, 2014

In case anyone else had issues, I used this to suppress ssl_rec and ssl_acc and hopefully still getting the rest from info to emerg.

modify syslog {

auth-priv-from warning
auth-priv-to emerg
console-log enabled
cron-from warning
cron-to emerg
daemon-from notice
daemon-to emerg
description none
include "
    filter f_remote_loghost {
        level(info..emerg);
    };
    filter f_ssl_acc_req {
        not (facility(local6) and level(info) and match('[ssl_acc\\]')) or
        not (facility(local6) and level(info) and match('[ssl_req\\]'));
    };
    destination d_remote_loghost {
        udp(\"192.168.2.102\" port(514));
    };
    log {
        source(s_syslog_pipe);
        filter(f_remote_loghost);
        filter(f_ssl_acc_req);
        destination(d_remote_loghost);
    };
"
iso-date disabled
kern-from notice
kern-to emerg
local6-from notice
local6-to emerg
mail-from notice
mail-to emerg
messages-from notice
messages-to warning
remote-servers none
user-log-from notice
user-log-to emerg

}

Here is my syslog after

<85>Jan 31 14:51:06 f5 notice httpd[9697]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 13:02:13 2014" end="Fri Jan 31 14192.168.2.331/01 14:51:06.764

<133>Jan 31 14:51:06 f5 notice httpd[9697]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 13:02:13 2014" end="Fri Jan 31 1192.168.2.331/01 14:51:06.767

<85>Jan 31 14:51:12 f5 notice httpd[16433]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 14:51:12 2014". 192.168.2.331/01 14:51:12.124 <133>Jan 31 14:51:12 f5 notice httpd[16433]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 14:51:12 2014". 192.168.2.331/01 14:51:12.126

<133>Jan 31 14:51:58 f5 notice tmsh[8254]: 01420002:5: AUDIT - pid=8254 user=root folder=/Common module=(tmos) status=[edit canceled] cmd_data=edit /sys syslog all-properties 192.168.2.331/01 14:51:58.087

<78>Jan 31 14:52:01 f5 info crond[18300]: (syscheck) CMD (/usr/bin/system_check -q) 192.168.2.331/01 14:52:01.351

<133>Jan 31 14:52:02 f5 notice tmsh[8254]: 01420002:5: AUDIT - pid=8254 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=save /sys config 192.168.2.331/01 14:52:02.313

<133>Jan 31 14:52:27 f5 notice tmsh[8254]: 01420002:5: AUDIT - pid=8254 user=root folder=/Common module=(tmos) status=[edit canceled] cmd_data=edit /sys syslog all-properties 192.168.2.331/01 14:52:27.314

<78>Jan 31 14:54:01 f5 info crond[18547]: (syscheck) CMD (/usr/bin/system_check -q) 192.168.2.331/01 14:54:01.413

<78>Jan 31 14:55:01 f5 info crond[18665]: (root) CMD (/usr/lib/sa/sa1) 192.168.2.331/01 14:55:01.446

<78>Jan 31 14:56:01 f5 info crond[18779]: (syscheck) CMD (/usr/bin/system_check -q) 192.168.2.331/01 14:56:01.486

Forum Discussion

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

VIP in https that redirect to another vip in https

2026 301a exam

F5OS login with admin/root failed via console

UCS Encryption Question

Related Content

Load Balancing TCP TLS Encrypted Syslog Messages

Syslog virtual server

I want to exclude the character ) in syslog filter.

APM syslogs issues

BIG-IP to Process TLS Syslog Traffic

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS