Forum Discussion
jkstraw_44238
Nimbostratus
NimbostratusVirt_server logs to remote syslog
I am running a BigIP with V. 9.4
I have the following iRule logging correctly to /var/log/ltm but I am also trying to get the web traffic forwarded to central syslog-ng server.
when HTTP_REQUEST {
set http_request_time [clock clicks -milliseconds]
set request_log_line "\
[HTTP::request_num],\
[IP::remote_addr],\
[HTTP::method],\
[HTTP::version],\
[HTTP::host],\
\"[HTTP::uri]\",\
\"[HTTP::header value Referer]\",
\"[HTTP::header User-Agent]\",\
\"[HTTP::cookie value JSESSIONID]\",\
[SSL::cipher name],\
[SSL::cipher version],\
[SSL::cipher bits]"
}
when HTTP_RESPONSE {
set http_response_time [ clock clicks -milliseconds ]
log local0. "$request_log_line,\
[HTTP::status],\
[HTTP::payload length],\
[expr $http_response_time - $http_request_time]"
}In the /etc/syslog-ng/syslog-ng.conf file I have added the following:
Remote Syslog Server
destination remote {
udp("xxx.xxx.xxx.xxx" port (514));
};
local0.* /var/log/ltm
filter f_local0 {
facility(local0) and level(info..emerg); };
destination d_ltm {
file("/var/log/ltm" create_dirs(yes)); };
log {
source(local);
filter(f_local0);
destination(d_ltm);
destination(remote);
};I know the "destination(d_ltm)" is working - but my "destination(remote)" is not working 100%. My Syslog server is getting local0-notice level messages (eg. mcpd[1725]: 01070639:5: Pool member xxx.xxx.xxx.xxx:8080 session status disabled.) but none of the web logs.
Does anyone have any ideas?
- dennypayne
Employee
Interesting...I just tested this and it seems that logs generated from a rule show a hostname of tmm and no status code, unlike other logs which show the hostname of the box and a status code (here it is 01070638 for unchecked monitor).Fri Jun 29 14:56:10 CDT 2007 tmm tmm[1399] Rule testlog CLIENT_ACCEPTED: blah blah blah Fri Jun 29 14:57:08 CDT 2007 DDCNDCNDISLB8AJ1Z mcpd[1580] 01070638 Pool member 10.128.214.226:80 monitor status unchecked.
Not sure exactly what that means regarding your problem but my speculation is that without a status code it doesn't fit into the info..emerg level structure? Have you tried lowering the level to debug?
Denny 
jkstraw_44238Sorry for the slow response (long weekend).
Yes I had tried to troubleshoot the problem by logging in debug. Still not traffic logs however.
