For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

tbriscoe_90614's avatar
tbriscoe_90614
Icon for Nimbostratus rankNimbostratus
Aug 11, 2017

Viprion F5 sending logs to Qradar need the slot number removed

when sending the log to qradar it comes up in the format of slot/hostname   <132>Aug 11 15:27:37 slot1/testf502 warning tmm[11723]: 01260026:4: No shared ciphers between SSL peers 185.181.102....
application delivery
iRules
LTM
yapchinhoong's avatar
yapchinhoong
Icon for Nimbostratus rankNimbostratus
Nov 20, 2024

K76259573: Adding or modifying FQDN hostnames for syslog messages
https://my.f5.com/manage/s/article/K76259573

In the following example, we only perform on-the-wire message rewriting upon the messages destined for the 2nd Syslog server (22.22.22.22).
The Syslog messages destined for the 1st Syslog server (11.11.11.11) will still have the hostname in the slot#/<FQDN> format.

<${PRI}> = FACILITY + PRIORITY

slot1/CBJ01-SVR-LB01.celcom.net.my
$(substr ${HOST} 6 14) = start with 0 (before s), at position 6 (before C), cut out 14 characters = CBJ01-SVR-LB01

Vendor01@(CBJ01-SVR-LB01)(cfg-sync In Sync)(/S1-green-P::Active)(/Common)(tmos)# list sys syslog
sys syslog {
    include "
    filter f_remote_loghost {
        level(info..emerg);
    };
    template custom_remote_template {
        template(\"<${PRI}>$DATE $(substr ${HOST} 6 10) $PRIORITY $MSG from $HOST\\n\");
        template_escape(no);
    };
    destination my_remote_server {
        udp(\"11.11.11.11\"
        port(514)
      );
        udp(\"22.22.22.22\"
        port(514)
        template(custom_remote_template)
        persist-name(Remote1)
      );
    };
    log {
        source(s_syslog_pipe);
        filter(f_remote_loghost);
        destination(my_remote_server);
    };
    "
}
Vendor01@(CBJ01-SVR-LB01)(cfg-sync In Sync)(/S1-green-P::Active)(/Common)(tmos)#