Forum Discussion
tbriscoe_90614
Nimbostratus
NimbostratusViprion F5 sending logs to Qradar need the slot number removed
when sending the log to qradar it comes up in the format of slot/hostname
<132>Aug 11 15:27:37 slot1/testf502 warning tmm[11723]: 01260026:4: No shared ciphers between SSL peers 185.181.102....
yapchinhoongNimbostratus
NimbostratusK76259573: Adding or modifying FQDN hostnames for syslog messages
https://my.f5.com/manage/s/article/K76259573
In the following example, we only perform on-the-wire message rewriting upon the messages destined for the 2nd Syslog server (22.22.22.22).
The Syslog messages destined for the 1st Syslog server (11.11.11.11) will still have the hostname in the slot#/<FQDN> format.
<${PRI}> = FACILITY + PRIORITY
slot1/CBJ01-SVR-LB01.celcom.net.my
$(substr ${HOST} 6 14) = start with 0 (before s), at position 6 (before C), cut out 14 characters = CBJ01-SVR-LB01
Vendor01@(CBJ01-SVR-LB01)(cfg-sync In Sync)(/S1-green-P::Active)(/Common)(tmos)# list sys syslog
sys syslog {
include "
filter f_remote_loghost {
level(info..emerg);
};
template custom_remote_template {
template(\"<${PRI}>$DATE $(substr ${HOST} 6 10) $PRIORITY $MSG from $HOST\\n\");
template_escape(no);
};
destination my_remote_server {
udp(\"11.11.11.11\"
port(514)
);
udp(\"22.22.22.22\"
port(514)
template(custom_remote_template)
persist-name(Remote1)
);
};
log {
source(s_syslog_pipe);
filter(f_remote_loghost);
destination(my_remote_server);
};
"
}
Vendor01@(CBJ01-SVR-LB01)(cfg-sync In Sync)(/S1-green-P::Active)(/Common)(tmos)#
