User audit via HSL

Hi,

 

I'm trying to get some of the F5 logging into our syslog server. What I specifically need are the user login records from the device. I've configured a remote syslogger and that seems okay. I get the login records. However I get a lot of extra junk on SSL handshakes as well.

 

Now as I see it I can either write a filter for syslog to get rid of all of those ssl handshake logs (any ideas on what I need to filter out here? I've put an example of what it looks like below) or I can try to use HSL which as inbuilt filters and also allows you to have a redundant syslog server without having dual logging, which is good. What I noticed with that though is that even if I set HSL to use an all/info filter then I don't get any user audit logs coming through. Has anyone had any luck getting user audits working on HSL and if so may I ask how?

 

These are some example SSL handshake syslogs I need to write a filter for if I can't get audit logging working on HSL:

 

Mar 18 17:25:20 s2ltm01 info logger: [ssl_acc] 172.31.14.228 - admin [18/Mar/2014:17:25:20 +1100] "/tmui/tmui/devmgmt/overview_json.jsp" 200 580 Mar 18 17:25:21 s2ltm02 info logger: [ssl_acc] 127.0.0.1 - - [18/Mar/2014:17:25:21 +1100] "/iControl/iControlPortal.cgi" 200 765 Mar 18 17:25:21 s2ltm02 info logger: [ssl_req][18/Mar/2014:17:25:21 +1100] 127.0.0.1 TLSv1 RC4-SHA "/iControl/iControlPortal.cgi" 765 Mar 18 17:25:21 s2ltm02 info logger: [ssl_req][18/Mar/2014:17:25:21 +1100] 127.0.0.1 TLSv1 RC4-SHA "/iControl/iControlPortal.cgi" 626 Mar 18 17:25:21 s2ltm02 info logger: [ssl_acc] 127.0.0.1 - - [18/Mar/2014:17:25:21 +1100] "/iControl/iControlPortal.cgi" 200 626

 

Thank you.