Forum Discussion
dan_19334
Nimbostratus
NimbostratusSyslog off box via TCP and stop writing to disk
We would like to remote syslog off the LTM via TCP for guaranteed delivery and also prevent the messages from writing to disk. In order to get TCP versus UDP we stream the logs through the local syslog-ng process as the remote iRule log command can only do UDP. I have referenced the great "Custom Syslog Configuration" article on how to append custom changes to syslog-ng, which has allowed us to stream syslog messages off the box via TCP. :-)
The problem is that even though we have added configs to send logs off the box, the syslog-ng process is still writing them to disk which is causing a performance degradation. We want to send off the box and also stop from logging locally. When we do custom syslog configs it appears to only add additional configuration but doesn't change any of the existing default configs. Is there anyway to override local0 (or other) to stop writing to /var/log/ltm?
Thanks,
-Dan
hoolioCirrostratus
Hi Dan,
For versions lower than 9.4.2 you can edit the syslog-ng.conf however you want. In 9.4.2+ there is the new CLI interface which limits the options. If you're on a newer version, I'd suggest opening a case with F5 Support and asking them if it's possible or for a workaround. Worst case, hopefully they'll add the functionality in a future release.
Aaron
dan_19334Thanks for the information. Here is my workaround to get any custom syslog-ng configuration. This allowed me to stream logs off the box without writing them to disk.
1) Stop syslog-ng (bigstart stop syslog-ng)
2) Edit /var/run/config/syslog-ng.conf to meet my needs
3) Start syslog-ng (bigstart start syslog-ng)
This worked around the limitations of just appending syslog configs via the F5 method.
Thanks.
Ed_Hammond_2611You need to add the exclusion rules to the syslog-ng.conf file on the LTM lines. For example:filter f_local0 { facility(local0) and level(info..emerg) and not match(": Rule ") ; }; destination d_ltm { file("/var/log/ltm" create_dirs(yes)); }; log { source(local); filter(f_local0); destination(d_ltm); };
Note the and not match(": Rule ") is what you need.- dan_19334Thanks, that works for not writing the iRule logs to disk.
My problem is that to do this makes my syslog-ng configuration not supported by F5. The supported method to edit syslog-ng only allows you to append configurations to the file via the include method. Any advanced config like the you purpose requires a direct edit of the file. So, I guess my question is can this be done and still be supported by F5?
Thanks,
-Dan - You should be able to selectively block disk logging by overriding the unwanted disk-file "destination" targets with empty (or TCP-forwarding) versions in your include block.
- Please note, if you reboot or change the syslog config with the GUI or bigpipe any changes made to the syslog config will be gone.
joberreu is on to something. If you use the bigpipe syslog include command to include a second destination for an existing destination it will be used (it might be because it is the last one in the config file). For example:
bigpipe syslog include '"destination d_messages { udp(ip(10.10.1.10)); };"'
should cause log messages to go to the IP instead of the original file /var/log/messages. - You can use the command line to include an entire file of syslog-ng.conf changes, the instructions are here:
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=155 - suprety_83882I followed the article outlined above. But I am not able to override the default destination of log message. It is always written to disk. Here is my include file
syslog include "
weblog filter Log WebLog to remote server
filter f_weblog {
facility(local4) and level(debug..emerg) and match(\"WEBLOG\");
};
destination d_weblog {
udp(\"192.168.0.68\" port (19999));
};
log {
source(local);
filter(f_weblog);
destination(d_weblog);
};
filter f_no_weblog {
not match(\"WEBLOG\");
};
local4.*
/var/log/ltmfilter f_local4 {
facility(local4);
};
log {
source(s_syslog_pipe);
filter(f_local4);
filter(f_no_weblog);
destination(d_ltm);
};
"
Any help would be greatly appreciated.
- JRahm
Admin
if logging to syslog, you ARE writing to disk. To avoid it, you need to use the log or HSL:: commands in iRules - hooliosuprety, that looks about right at first glance. What does your syslog-ng.conf file look like after saving the config?
Aaron
