For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jkstraw_44238's avatar
jkstraw_44238
Icon for Nimbostratus rankNimbostratus
Jun 29, 2007

Virt_server logs to remote syslog

I am running a BigIP with V. 9.4

I have the following iRule logging correctly to /var/log/ltm but I am also trying to get the web traffic forwarded to central syslog-ng server.


when HTTP_REQUEST {
  set http_request_time [clock clicks -milliseconds]
  set request_log_line "\
 [HTTP::request_num],\
 [IP::remote_addr],\
 [HTTP::method],\
 [HTTP::version],\
 [HTTP::host],\
 \"[HTTP::uri]\",\
 \"[HTTP::header value Referer]\",
 \"[HTTP::header User-Agent]\",\
 \"[HTTP::cookie value JSESSIONID]\",\
 [SSL::cipher name],\
 [SSL::cipher version],\
 [SSL::cipher bits]"
 }
 
 when HTTP_RESPONSE {
  set http_response_time [ clock clicks -milliseconds ]
 log local0. "$request_log_line,\
 [HTTP::status],\
 [HTTP::payload length],\
 [expr $http_response_time - $http_request_time]"
 }

In the /etc/syslog-ng/syslog-ng.conf file I have added the following:


 Remote Syslog Server
 destination remote {
 udp("xxx.xxx.xxx.xxx" port (514));
 };
  local0.*                                                           /var/log/ltm
 filter f_local0 {
    facility(local0) and level(info..emerg); };
 destination d_ltm {
    file("/var/log/ltm" create_dirs(yes)); };
 log {
    source(local);
    filter(f_local0);
    destination(d_ltm);
    destination(remote);
 };

I know the "destination(d_ltm)" is working - but my "destination(remote)" is not working 100%. My Syslog server is getting local0-notice level messages (eg. mcpd[1725]: 01070639:5: Pool member xxx.xxx.xxx.xxx:8080 session status disabled.) but none of the web logs.

Does anyone have any ideas?
application delivery
dev
devops
iRules

2 Replies

  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Jun 29, 2007
    Interesting...I just tested this and it seems that logs generated from a rule show a hostname of tmm and no status code, unlike other logs which show the hostname of the box and a status code (here it is 01070638 for unchecked monitor).

     

     

    
Fri Jun 29 14:56:10 CDT 2007 tmm tmm[1399]   Rule testlog CLIENT_ACCEPTED: blah blah blah
Fri Jun 29 14:57:08 CDT 2007 DDCNDCNDISLB8AJ1Z mcpd[1580] 01070638 Pool member 10.128.214.226:80 monitor status unchecked.

     

     

    Not sure exactly what that means regarding your problem but my speculation is that without a status code it doesn't fit into the info..emerg level structure? Have you tried lowering the level to debug?

     

     

    Denny
  • jkstraw_44238's avatar
    jkstraw_44238
    Icon for Nimbostratus rankNimbostratus
    Jul 03, 2007
    Sorry for the slow response (long weekend).

     

     

    Yes I had tried to troubleshoot the problem by logging in debug. Still not traffic logs however.