Our client wants every syslog message sent by the BIG-IP to be on local5 facility. I understand that this is not the behavior of syslog-ng. But is it possible? I tinkered around the syslog options and could not find this option, not even on the CLI (we are running v188.8.131.52).
They're trying to emulate a Netscaler config
add audit syslogAction AUDIT_SRV_SYSLOG 184.108.40.206 -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE -dateFormat DDMMYYYY -logFacility LOCAL5 -timeZone LOCAL_TIME
This config sends all the messages to syslog server 220.127.116.11 as local5.
i dont believe this is easily possible. the BIG-IP uses many different facility values itself by default, so changing those will confuse system that asume the default ones.
you might be able to overwrite something by tinkering in the syslog-ng.conf but i wouldnt advise that.
i assume you want this to recognize the logging better on the syslog server? isn't that possible on source IP or such?
Hey boneyard! How's it going my friend? Thank you for your reply.
I thought the same as you. I would have to tinker with the syslog-ng and I could very easily break something and I also advised our client against it.
They use some very old syslog solution and designed that way. For now I said that it would not be possible. Let's see if they upgrade that legacy solution to a better one.
Thanks for your time, Rafael.