Forum Discussion

RobW's avatar
RobW
Icon for Nimbostratus rankNimbostratus
Jul 13, 2010

syslog-ng

LTM v10.0.1

 

 

syslog-ng.conf contains the following template

 

 

sent messages will use this template

 

template t_commontmpl {

 

template("<$PRI> $DATE local/$HOST $PRIORITY $MSG\n");

 

template_escape(no);

 

};

 

 

I'm trying to modify this template getting rid of "local/$HOST" and insert a different macro $FULLHOST or $FULLHOST_FROM or $SOURCEIP.

 

 

When I execute the "b syslog include" command I get a BIGpipe parsing error

 

 

"012e0022:3 The requested value (<$PRI> $DATE is invalid (show | | none) for 'include' in 'syslog'"

 

 

What is the recommend F5 way to modify this statement?

 

 

Thanks

 

Rob
management
monitoring
  • RobW's avatar
    RobW
    Icon for Nimbostratus rankNimbostratus
    Jul 13, 2010
    Okay I figured out the solution, but first the problem. The ltms running v9 worked fine when redirecting the log files to the remote syslog server, which I have no control over. Each v9 system has a seperate log file on the syslog-ng server, no mode needed to be made to the syslog-ng.conf file on the v9 ltms.

     

     

    So why did F5 change this behavior on the v10 systems?

     

     

    With v10 systems a template is used that formats the syslog data sent to a remote syslog server in the form of "timestamp local/$HOST .... message". This was causing all v10 ltm system logs to be written to a single file named "local" on the remote syslog-ng server.

     

     

    Numerous attemps to rewrite the template failed, in fact it broke logging altogether and F5 supported stated that a rewrite of the template was not supported and that I need to redo my syslog server to handle the way F5 ltm was sending the data, so much for support.

     

     

    So back to the drawing board. The goal was to have seperate log files on the syslog server for each v10 system. I initially played with the v10 syslog-ng.conf "options" section with out any luck. Initially I added "use_fqdn(yes)" but this did not work. With this config option the syslog server still received the data stream in the following format, "timestamp local/fqdn .... message". Still causing the remote syslog-ng server to write all the v10 ltm data to a single file named local.

     

     

    The solution appears to be setting the options in the following manner

     

     

     

    bigpipe syslog include '"options {

     

    dir_perm(0755);

     

    perm(0644);

     

    chain_hostnames(no);

     

    use_fqdn(yes);

     

    keep_hostname(no);

     

    stats(0);

     

    log_fifo_size(2048):

     

    };"'

     

     

    So now each v10 ltm has a seperate log file on the remote syslog server and uses the fqdn in message.

     

     

    -Rob
  • Paul_Aurich's avatar
    Paul_Aurich
    Icon for Employee rankEmployee
    Aug 23, 2011
    This include stanza has a typo on the second-to-last line (log_fifo_size). It should end with a semicolon, not a colon. The corrected version reads: 
    bigpipe syslog include '"options {
dir_perm(0755);
perm(0644);
chain_hostnames(no);
use_fqdn(yes);
keep_hostname(no);
stats(0);
log_fifo_size(2048);
};"'