Viprion F5 sending logs to Qradar need the slot number removed

I was able to remove the "slot1/" hostname prefix in syslog messages sent to a remote server using the below configuration on TMOS 12.1.2 HF1 (it likely works elsewhere, I just haven't tested). A few notes:

• The result of this is that logs from the Primary slot are sent from the Cluster IP Address and logs from any Secondary slots are sent from the respective slot's assigned IP address. I did not test what happens if the slot (blade) is not assigned an IP.
• It appears that any

  sys syslog remote-servers

  configuration is ignored when the above

  sys syslog include

  configuration is in place.
• This configuration will be synced to any HA peers.
• I tested an upgrade from 12.1.2 HF1 to 13.0.0 HF2 and the configuration was kept intact and was fully functional post-upgrade.
• Someday if F5 changes how they do syslog or changes the version of syslog in use this may break.

Formatted Configuration:

sys syslog {
    remote-servers none
    include "
    template t_no_slot_tmpl {
         These are original template values (aside from escaped quotes)
         from t_commontmpl in /etc/syslog-ng/syslog-ng.conf on slot1 and
         slot2 of a VIPRION chassis (same on vCMP guests).
        template(\"<$PRI> $STAMP slot1/$HOST $PRIORITY $MSG\\n\");
        template(\"<$PRI> $STAMP slot2/$HOST $PRIORITY $MSG\\n\");

         This is the modified template value to remove slot reference.
         For multi-slot hosts and guests you will lose visiblity of
         which tmos instance (slot) is producing the log message.
        template(\"<$PRI> $STAMP $HOST $PRIORITY $MSG\\n\");
        template_escape(no);
    };

    destination d_no_slot_loghost {
        udp(\"10.10.10.1\" port(514) template(t_no_slot_tmpl));
        udp(\"10.10.10.2\" port(514) template(t_no_slot_tmpl));
    };

    log {
        source(local);
        destination(d_no_slot_loghost);
    };
    "
}
`

Note that if you are going to paste the text in via `edit sys syslog` you will want to remove all leading spaces/tabs. The tmsh (tm shell) formats the pasted text on the fly and expands the space in a cascase if leading spaces exist. Also, optionally you can use single quotes around the `include` text (as seen below) to eliminate the need to manually escape every double quote and backslash. The tmsh automatically does the escaping when you exit `edit sys syslog` and save the configuration (so it will look like what I pasted above). For example:

`include '
template t_no_slot_tmpl {
 This is the original template t_commontmpl value from /etc/syslog-ng/syslog-ng.conf
template("<$PRI> $STAMP slot1/$HOST $PRIORITY $MSG\n");

 This is the modified template value to remove slot reference.
 For multi-slot hosts and guests you will lose visiblity of
 which tmos instance (slot) is producing the log message.
template("<$PRI> $STAMP $HOST $PRIORITY $MSG\n");
template_escape(no);
};
destination d_no_slot_loghost {
 For each specific network destination use the custom template
udp("10.10.10.1" port(514) template(t_no_slot_tmpl));
udp("10.10.10.2" port(514) template(t_no_slot_tmpl));
};
log {
 Using the raw local source (untested whether GUI log settings affect this)
source(local);
 Sending the logs to the destinations listed
destination(d_no_slot_loghost);
};
'