Forum Discussion

Wouter_de_Bruin's avatar
Wouter_de_Bruin
Icon for Nimbostratus rankNimbostratus
Jul 09, 2008

Can I change default syslog facilities? (9.4.3)

Hello,

 

is there a way to change the default syslog facilities?

 

We have an external syslog server (Not managed by us, of course;-) which only forwards facilty 7 messages to the log files we are authorised to use. Yes, I know, it should be different, but its not a perfect world :-(

 

 

I know exactly which log events I'd like to forward to this server, but they have different facilities. I would like to change the facility of these messages to 7 before they are sent to the external server.

 

I had a look at "b syslog" but this doesn't seem to do the thing for me.

 

We are running LTM with 9.4.3

 

 

Any help appreciated.

 

Wouter de Bruin
management
monitoring

14 Replies

Sort By
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jul 09, 2008
    Yes, syslog-ng can be setup to do this. Please reference this tech tip and post back if you have any questions.

     

     

    http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=155

     

    Click here
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 13, 2011
    could u pls try this? let us know if it doens't work.

     

     

    Changing the Facility or Priority of a Syslog Message section

     

    http://www.syslog.org/logged/pot-of-syslog-ng-tricks-version-3/
  • geffryti_32102's avatar
    geffryti_32102
    Icon for Nimbostratus rankNimbostratus
    Jun 14, 2011
    Thanks Nitass.

    I tried follow that but I get the below error... 

    b syslog include '"
 local3.*                                      /var/log/asm
filter f_local3a {
   facility(local3);
};

destination d_asmtest {
   file("/var/log/custom/asm_log_file"
   template("<190>$DATE $HOST $MSGHDR$MSG\n"; template_escape(no)));
};

log {
   source(local);
   filter(f_local3a);
   destination(d_asmtest);
};
"'
BIGpipe parsing error:
   012e0022:3: The requested value (/var/log/custom/asm_log_file") is invalid (show | ( | none)) for 'include' in 'syslog'

    I felt that bigpipe had it's own way of parsing templates, so I reference an existing template field in the original syslog conf file... and this is what I got... it had to declare the template and then bind it with the destination file... I followed the format but didn't help though... I will try out other things, but if you have any idea where I'm wrong here, I would appreciate it.. tnx

    note: this is one of our spare units... so the destination file changed a little 

    b syslog include '"
 local3.*                                      /var/log/asm
filter f_local3a {
   facility(local3);
};

template t_asm {
   template("<190> $DATE $HOST $MSGHDR$MSG\n");
   template_escape(no);
};

destination d_asmtest {
   file("/var/log/lost+found/output/testasmlog" template(t_asm));
};

log {
   source(local);
   filter(f_local3a);
   destination(d_asmtest);
};
"'
BIGpipe parsing error:
   012e0022:3: The requested value (<190> $DATE) is invalid (show |  | none) for 'include' in 'syslog'
  • geffryti_32102's avatar
    geffryti_32102
    Icon for Nimbostratus rankNimbostratus
    Jun 14, 2011
    Yup, that fixed it. Below is the working config. 

    b syslog include '"                        local3.*                                      /var/log/asm
filter f_local3a {
   facility(local3);
};

template t_asm {
   template(\"<190> $DATE $HOST $MSGHDR$MSG\n\");
   template_escape(no);
};

destination d_asmtest {
   file(\"/var/log/lost+found/output/testasmlog\" template(t_asm));
};

destination d_loghost5a {
udp(\"10.2.2.2\" port (514));
};

log {
   source(local);
   filter(f_local3a);
   destination(d_asmtest);
   destination(d_loghost5a);
};
"'

    But below is the end result of the syslog... as you can see it actually wrote <190> instead of changing the facility. I'll play around with it and get back to you if I fix it... 

    <190> Jun 14 06:51:51 blah blah blah blah blah
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 15, 2011
    this is mine. 

    
b syslog include '"
filter f_local3a {
   facility(local3);
};
template t_asm {
   template(\"<190> $DATE $HOST $MSGHDR$MSG\n\");
   template_escape(no);
};
destination d_loghost5a {
udp(\"192.168.206.96\" port (514) template(t_asm));
};
log {
   source(local);
   filter(f_local3a);
   destination(d_loghost5a);
};
"'

    71 12:00:21.300602 0.000000 172.28.16.50 192.168.206.96 Syslog LOCAL7.INFO: Jun 14 20:55:18 tulip root: test\n

  • geffryti_32102's avatar
    geffryti_32102
    Icon for Nimbostratus rankNimbostratus
    Jun 15, 2011
    Appreciate your help Nitass... it's working now... below is my working code....

     

     

    Note: I removed the $DATE and $HOST entry since it's already part of the MSG header...

     

     

    b syslog include '"
filter f_local3a {
   facility(local3);
};
template t_asm {
   template(\"<190> $MSGHDR$MSG\n\");
   template_escape(no);
};

destination d_loghost5a {
udp(\"2.2.2.2\" port (514) template(t_asm));
};
log {
   source(local);
   filter(f_local3a);
   destination(d_loghost5a);
};
"'
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jun 20, 2011
    Nice work, guys! I wrote up your solution:

     

     

    http://devcentral.f5.com/weblogs/jason/archive/2011/06/20/changing-the-big-ip-default-syslog-ng-facilities.aspx Click Here
  • efftee_26336's avatar
    efftee_26336
    Historic F5 Account
    Mar 18, 2013
    The equivalent tmsh syntax is modify sys syslog include "filter f_local3a { facility(local3); }; template t_asm { template(\"<190> $DATE $HOST $MSGHDR$MSG\\n\"); template_escape(no); }; destination d_loghost5a { udp(\"2.2.2.2\" port (514) template(t_asm)); }; log { source(local); filter(f_local3a); destination(d_loghost5a); }; " and if you want to log every message into one remote syslog facility I used this CLI modify sys syslog include "template t_asm { template(\"<190> $DATE $HOST $MSGHDR$MSG\\n\"); template_escape(no); }; destination d_loghost5a { udp(\"10.255.0.1\" port (514) template(t_asm)); }; log { source(local); destination(d_loghost5a); }; "