For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tim_92618's avatar
Tim_92618
Icon for Nimbostratus rankNimbostratus
Aug 31, 2012

syslog filtering

we are trying to modify our syslog to get just warning and emergency level notifications, but all of the filters we have tried are not working.
config
design
nitass's avatar
nitass
Icon for Employee rankEmployee
Sep 02, 2012
we are trying to modify our syslog to get just warning and emergency level notifications, but all of the filters we have tried are not working.have you tried syslog include in this sol?

 

 

sol11723: Filtering log messages sent to remote syslog servers (9.4.x - 10.x)

 

http://support.f5.com/kb/en-us/solutions/public/11000/700/sol11723.html

 

 

We have tried the syslog include statements from many articles and yet the informational, debug, and notice events are still forwarding. It seems this should be a basic functionality of the LTM so any assistance would be appreciated.your syslog include command is correct but the wrong is remotesyslog1. since you use syslog include, you do not need to have remotesyslog1. remove it and it will work. :-)
willy_01_152938's avatar
willy_01_152938
Icon for Nimbostratus rankNimbostratus
Jul 21, 2015
If you implement the solution given before you remote syslog filter wouldn't work properly. Solution above: tmsh modify /sys syslog include "filter f_remote_loghost {level(info..emerg);};filter f_ssl_acc_req {not (facility(local6) and level(info) and match('[ssl_acc\\]')) or not (facility(local6) and level(info) and match('[ssl_req\\]'));};destination d_remote_loghost {udp(\"192.168.2.102\" port(514));};log {source(s_syslog_pipe);filter(f_remote_loghost);filter(f_ssl_acc_req);destination(d_remote_loghost);};" All the syslog traps of local6 are filtered but not correctley, because: The 'or' command should be replaced with the 'and' command. You have also to remove the brackets '[' and '\\]' otherwhise the filter matched not they keywords but some characters how are involved at he keywords 'ssl_req' or 'ssl_acc' . We have implemented the following solution below and this works fine: include " filter f_dlog {level(info..emerg);}; filter f_ssl { not (facility(local6) and level(info) and match('ssl_acc')) and not(facility(local6) and level(info) and match('ssl_req')); }; destination drem_host { udp('xxx.xxx.xxx.xxx' port(514)); }; log { source(s_syslog_pipe); filter(f_dlog); filter(f_ssl); destination(drem_host); }; "