Forum Discussion
tbriscoe_90614
Nimbostratus
NimbostratusViprion F5 sending logs to Qradar need the slot number removed
when sending the log to qradar it comes up in the format of slot/hostname
<132>Aug 11 15:27:37 slot1/testf502 warning tmm[11723]: 01260026:4: No shared ciphers between SSL peers 185.181.102.18.56372:192.168.10.156.443.
looking to remove the slot from the log entry before sending to qradar to allow for better sorting.
Vijay_ECirrus
I don't think it is possible to remove the slot from the logs. You can always sort after the log is sent to the server, imo.
Steps to remove "slot1/" from remote syslog.
https://support.f5.com/csp/article/K13333
1) tmsh modify /sys syslog remote-servers none
2) tmsh edit /sys syslog all-properties
3) Find the line "include none" and replace "none" with below include statement (press "i" for insert mode):
include "
options {
keep_hostname(no);
};
filter f_remote_loghost {
level(warn..emerg);
};
destination d_remote_loghost {
tcp(\"IP_SERVER_1\" port(514));
udp(\"IP_SERVER_2\" port(514));
};
log {
source(s_syslog_pipe);
filter(f_remote_loghost);
destination(d_remote_loghost);
};
"
Daniel_TavernieCirrostratus
I was able to remove the "slot1/" hostname prefix in syslog messages sent to a remote server using the below configuration on TMOS 12.1.2 HF1 (it likely works elsewhere, I just haven't tested). A few notes:
- The result of this is that logs from the Primary slot are sent from the Cluster IP Address and logs from any Secondary slots are sent from the respective slot's assigned IP address. I did not test what happens if the slot (blade) is not assigned an IP.
- It appears that any
configuration is ignored when the abovesys syslog remote-servers
configuration is in place.sys syslog include - This configuration will be synced to any HA peers.
- I tested an upgrade from 12.1.2 HF1 to 13.0.0 HF2 and the configuration was kept intact and was fully functional post-upgrade.
- Someday if F5 changes how they do syslog or changes the version of syslog in use this may break.
Formatted Configuration:
sys syslog { remote-servers none include " template t_no_slot_tmpl { These are original template values (aside from escaped quotes) from t_commontmpl in /etc/syslog-ng/syslog-ng.conf on slot1 and slot2 of a VIPRION chassis (same on vCMP guests). template(\"<$PRI> $STAMP slot1/$HOST $PRIORITY $MSG\\n\"); template(\"<$PRI> $STAMP slot2/$HOST $PRIORITY $MSG\\n\"); This is the modified template value to remove slot reference. For multi-slot hosts and guests you will lose visiblity of which tmos instance (slot) is producing the log message. template(\"<$PRI> $STAMP $HOST $PRIORITY $MSG\\n\"); template_escape(no); }; destination d_no_slot_loghost { udp(\"10.10.10.1\" port(514) template(t_no_slot_tmpl)); udp(\"10.10.10.2\" port(514) template(t_no_slot_tmpl)); }; log { source(local); destination(d_no_slot_loghost); }; " } `Note that if you are going to paste the text in via `edit sys syslog` you will want to remove all leading spaces/tabs. The tmsh (tm shell) formats the pasted text on the fly and expands the space in a cascase if leading spaces exist. Also, optionally you can use single quotes around the `include` text (as seen below) to eliminate the need to manually escape every double quote and backslash. The tmsh automatically does the escaping when you exit `edit sys syslog` and save the configuration (so it will look like what I pasted above). For example:`include ' template t_no_slot_tmpl { This is the original template t_commontmpl value from /etc/syslog-ng/syslog-ng.conf template("<$PRI> $STAMP slot1/$HOST $PRIORITY $MSG\n"); This is the modified template value to remove slot reference. For multi-slot hosts and guests you will lose visiblity of which tmos instance (slot) is producing the log message. template("<$PRI> $STAMP $HOST $PRIORITY $MSG\n"); template_escape(no); }; destination d_no_slot_loghost { For each specific network destination use the custom template udp("10.10.10.1" port(514) template(t_no_slot_tmpl)); udp("10.10.10.2" port(514) template(t_no_slot_tmpl)); }; log { Using the raw local source (untested whether GUI log settings affect this) source(local); Sending the logs to the destinations listed destination(d_no_slot_loghost); }; 'I think what you want is this:
tmsh modify sys syslog clustered-host-slot disabledAnd possibly:
tmsh modify sys syslog clustered-message-slot enabledSome example usage and output, for easy reference:
[root@Viprion:/S1-green-P:Active:Standalone] config tmsh list sys syslog all-properties|grep cluster clustered-host-slot enabled clustered-message-slot disabled [root@Viprion:/S1-green-P:Active:Standalone] config tail -2 /var/log/ltm Jan 11 14:53:04 slot1/Viprion info audit_forwarder: audit_forwarder started. Jan 11 14:53:03 slot3/Viprion info audit_forwarder: audit_forwarder started. [root@Viprion:/S1-green-P:Active:Standalone] config tmsh modify sys syslog clustered-host-slot disabled [root@Viprion:/S1-green-P:Active:Standalone] config tail -2 /var/log/ltm Jan 11 14:53:59 Viprion info audit_forwarder: audit_forwarder started. Jan 11 14:54:01 Viprion info audit_forwarder: audit_forwarder started. [root@Viprion:/S1-green-P:Active:Standalone] config tmsh modify sys syslog clustered-message-slot enabled [root@Viprion:/S1-green-P:Active:Standalone] config tail -2 /var/log/ltm Jan 11 14:54:21 Viprion info slot1 audit_forwarder: audit_forwarder started. Jan 11 14:54:23 Viprion info slot3 audit_forwarder: audit_forwarder started. [root@Viprion:/S1-green-P:Active:Standalone] config tmsh modify sys syslog clustered-host-slot enabled [root@Viprion:/S1-green-P:Active:Standalone] config tail -2 /var/log/ltm Jan 11 14:54:37 slot1/Viprion info slot1 audit_forwarder: audit_forwarder started. Jan 11 14:54:39 slot3/Viprion info slot3 audit_forwarder: audit_forwarder started. [root@Viprion:/S1-green-P:Active:Standalone] config tmsh modify sys syslog clustered-message-slot disabledI know these have existed since at least v12.
PhillyPDXmike_1tmsh modify sys syslog clustered-host-slot disabled successfully removed the slot from the syslog message for numerous vCMP guest clusters running 13.1.1.4 (BIGIP-13.1.1.4-0.0.4.iso).
yapchinhoongMist
K76259573: Adding or modifying FQDN hostnames for syslog messages
https://my.f5.com/manage/s/article/K76259573In the following example, we only perform on-the-wire message rewriting upon the messages destined for the 2nd Syslog server (22.22.22.22).
The Syslog messages destined for the 1st Syslog server (11.11.11.11) will still have the hostname in the slot#/<FQDN> format.<${PRI}> = FACILITY + PRIORITY
slot1/CBJ01-SVR-LB01.celcom.net.my
$(substr ${HOST} 6 14) = start with 0 (before s), at position 6 (before C), cut out 14 characters = CBJ01-SVR-LB01Vendor01@(CBJ01-SVR-LB01)(cfg-sync In Sync)(/S1-green-P::Active)(/Common)(tmos)# list sys syslog sys syslog { include " filter f_remote_loghost { level(info..emerg); }; template custom_remote_template { template(\"<${PRI}>$DATE $(substr ${HOST} 6 10) $PRIORITY $MSG from $HOST\\n\"); template_escape(no); }; destination my_remote_server { udp(\"11.11.11.11\" port(514) ); udp(\"22.22.22.22\" port(514) template(custom_remote_template) persist-name(Remote1) ); }; log { source(s_syslog_pipe); filter(f_remote_loghost); destination(my_remote_server); }; " } Vendor01@(CBJ01-SVR-LB01)(cfg-sync In Sync)(/S1-green-P::Active)(/Common)(tmos)#
Kevin54Thank you for sharing..
