Forum Discussion
fillstrsoh_2962
Nimbostratus
Nimbostratustmm entries for syslog
When tmm logs to our remote syslog-ng servers but the entries show up as coming from tmm instead of the IP/hostname of the actual system. Since we have multiple Big-IPs the tmm entries from multiple machines are collected in one file instead of the file specific to that machine. See examples that are from two separate Big-IPs:
Dec 11 04:39:56 tmm tmm[3793]: Rule v3vvv_irule : ,clnt_ip=10.100.x.x,clnt_port=1060,loc_ip=10.100.x.x,loc_port=80,uri=/,http_redirect=https://v3vvv/v3vvv/app
Dec 11 06:26:15 tmm tmm[1094]: Rule oit_forced_route : Sending Traffic to 12.146.x.x through OIT router
We were able to modify the syslog-ng.conf file of the syslog server we manage so that the tmm entries log to the appropriate files. We also send logs to a MSSP syslog server which is seeing the tmm entries as described above. Is there a change on the Big-IPs that can be made so that the tmm entries show the IP/hostname that they are coming from?
It looks like this is happening on two Big-IP LTM units (version 9.3.1 build 46.7) and two Big-IP ASM units (version 9.4.5 Build 1086.1 HF2).
F5 support responded, "The only way to do this on the BigIPs would be to use the 'bigpipe syslog include' command and create a filter on the LTM's config. But this is outside the scope of what we cover here in support."
Any help creating this filter would be greatly appreciated.
Thanks,
Mark
7 Replies
hoolioCirrostratus
Hi Mark,
I think you can modify syslog-ng to insert an arbitrary string in log messages:
https://lists.balabit.hu/pipermail/syslog-ng/2006-January/008385.html
I don't know if it's pretty, but I've used this kind of thing:
destination d_insert_txt {
tcp("10.0.0.8" port(5140)
template("$DATE $SOURCEIP $MESSAGE - service xyz for user root\n")
template-escape(no)
);
};
filter f_ssh_root_login {
program("sshd") and
match("Accepted keyboard-interactive/pam for root");
};
log {
source(local);
filter(f_ssh_root_login);
destination(d_insert_txt);
};
This sends it over a TCP stream, but you can modify it to use a file
pretty easily.
I wasn't sure if the b syslog utility would allow the use of the template statement, but there is what looks like a very comprehensive example (to send email) which uses templates in the Codeshare from lrhazi:
Syslog-ng Email Configuration (9.4.2+):
http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/SyslogNGEmailConfiguration.html
This should be easier on 9.3.1 if you don't have to go through the b syslog utility to modify the syslog-ng configuration file.
Here are some references on using templates in syslog-ng:
Macros: variables for date, hostname, etc (Click here)
Templates: (Click here)
And here is a good FAQ for syslog-ng (campin.net - Click here)
Aaron- fillstrsoh_2962Aaron,
Does syslog-ng get the host portion of this information "Dec 11 04:39:56 tmm tmm" from /etc/hosts? If so would it be possible to modify /etc/hosts so that [127.1.1.2 tmm] would also have the system name as such [127.1.1.2 tmm silver.strsoh.org] so that the output would look like this "Dec 11 04:39:56 silver tmm"?
Also there is an interesting post that describes new features in syslog-ng version 3 that will do exactly what I need.
http://bazsi.blogs.balabit.com/2008_11_01_archive.html
Thanks for the information you provided.
Mark - fillstrsoh_2962Aaron,
Aside from the entry being overwritten during an upgrade, do you forsee any system issues, on either LTM or ASM, as a result of editing /etc/hosts?
Thanks,
Mark - hoolioHi Mark,
Actually, it looks like syslog-ng 3.0 was released already...
A test box didn't fall over immediately upon changing the host file entry. And you'd leave tmm listed as a host for 127.2.0.2. It would just mean that 127.2.0.2 ad the other tmm IP's wouldn't have tmm listed first. I suspect this wouldn't cause any issues, but it would make sense to double check this with F5 Support. They'll probably tell you it's not a supported change. But if you explain why you want to do it, they might be willing to check into any possible problems with it. You could open a request for enhancement at the same time asking them to include the hostname for all loopback IP's.
Aaron - hoolioHi Mark,
If you're still following this post, did you end up using either option? If so, did you have any success?
Thanks,
Aaron - hoolioAlso, if you're generating the syslog messages from an iRule you could manually include the hostname in the log message from the iRule using [info hostname].
Aaron - Another option is to modify the syslog-ng global options to not keep the host name when received and have syslog-ng insert the system name as the host string. Below is the tmsh commands and output.
root@ltm1(Standby)(/Common)(tmos) modify /sys syslog include "options {keep_hostname(no);};"
root@ltm1(Standby)(/Common)(tmos) list /sys syslog
sys syslog {
include "options {keep_hostname(no);};"
remote-servers {
remotesyslog1 {
host 10.1.1.1
remote-port 514
}
}
}
root@ltm1(Standby)(/Common)(tmos) quit
[root@ltm1:Standby] config bigstart restart syslog-ng
Shutting down syslog-ng: [ OK ]
Starting syslog-ng: [ OK ]
[root@ltm1:Standby] config
One other thing, some syslog receivers utilize the incoming ip address to set the host header within the logs. To force this to use the management ip address of the LTM add the local-ip setting. No additional management static routes are needed if the local ip address is utilized. See below for details....
root@ltm1(Standby)(/Common)(tmos) modify /sys syslog { remote-servers modify { remotesyslog1 { local-ip 10.2.1.3 } } }
root@ltm1(Standby)(/Common)(tmos) list /sys syslog sys syslog {
include "options {keep_hostname(no);};"
remote-servers {
remotesyslog1 {
host 10.1.1.1
local-ip 10.2.1.3
remote-port 514
}
}
}
root@lltm1(Standby)(/Common)(tmos)
