cancel
Showing results for 
Search instead for 
Did you mean: 

Can I change default syslog facilities? (9.4.3)

Wouter_de_Bruin
Nimbostratus
Nimbostratus
Hello,

 

is there a way to change the default syslog facilities?

 

We have an external syslog server (Not managed by us, of course;-) which only forwards facilty 7 messages to the log files we are authorised to use. Yes, I know, it should be different, but its not a perfect world :(

 

 

I know exactly which log events I'd like to forward to this server, but they have different facilities. I would like to change the facility of these messages to 7 before they are sent to the external server.

 

I had a look at "b syslog" but this doesn't seem to do the thing for me.

 

We are running LTM with 9.4.3

 

 

Any help appreciated.

 

Wouter de Bruin
14 REPLIES 14

Jason_Rahm
Community Manager
Community Manager
Yes, syslog-ng can be setup to do this. Please reference this tech tip and post back if you have any questions.

 

 

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=155

 

Click here

nitass
F5 Employee
F5 Employee
could u pls try this? let us know if it doens't work.

 

 

Changing the Facility or Priority of a Syslog Message section

 

http://www.syslog.org/logged/pot-of-syslog-ng-tricks-version-3/

geffryti_32102
Nimbostratus
Nimbostratus
Thanks Nitass.

 

 

I tried follow that but I get the below error...

 

 

b syslog include '" local3.* /var/log/asm filter f_local3a { facility(local3); }; destination d_asmtest { file("/var/log/custom/asm_log_file" template("<190>$DATE $HOST $MSGHDR$MSG\n"; template_escape(no))); }; log { source(local); filter(f_local3a); destination(d_asmtest); }; "' BIGpipe parsing error: 012e0022:3: The requested value (/var/log/custom/asm_log_file") is invalid (show | ( | none)) for 'include' in 'syslog'

 

 

I felt that bigpipe had it's own way of parsing templates, so I reference an existing template field in the original syslog conf file... and this is what I got... it had to declare the template and then bind it with the destination file... I followed the format but didn't help though... I will try out other things, but if you have any idea where I'm wrong here, I would appreciate it.. tnx

 

 

note: this is one of our spare units... so the destination file changed a little

 

 

b syslog include '" local3.* /var/log/asm filter f_local3a { facility(local3); }; template t_asm { template("<190> $DATE $HOST $MSGHDR$MSG\n"); template_escape(no); }; destination d_asmtest { file("/var/log/lost+found/output/testasmlog" template(t_asm)); }; log { source(local); filter(f_local3a); destination(d_asmtest); }; "' BIGpipe parsing error: 012e0022:3: The requested value (<190> $DATE) is invalid (show | | none) for 'include' in 'syslog'

nitass
F5 Employee
F5 Employee
can u put backslash (\) in front ot double quote (")?

geffryti_32102
Nimbostratus
Nimbostratus
Yup, that fixed it. Below is the working config.

 

 

b syslog include '" local3.* /var/log/asm filter f_local3a { facility(local3); }; template t_asm { template(\"<190> $DATE $HOST $MSGHDR$MSG\n\"); template_escape(no); }; destination d_asmtest { file(\"/var/log/lost+found/output/testasmlog\" template(t_asm)); }; destination d_loghost5a { udp(\"10.2.2.2\" port (514)); }; log { source(local); filter(f_local3a); destination(d_asmtest); destination(d_loghost5a); }; "'

 

 

But below is the end result of the syslog... as you can see it actually wrote <190> instead of changing the facility. I'll play around with it and get back to you if I fix it...

 

 

 

<190> Jun 14 06:51:51 blah blah blah blah blah

nitass
F5 Employee
F5 Employee
this is mine.

 

 

b syslog include '" filter f_local3a { facility(local3); }; template t_asm { template(\"<190> $DATE $HOST $MSGHDR$MSG\n\"); template_escape(no); }; destination d_loghost5a { udp(\"192.168.206.96\" port (514) template(t_asm)); }; log { source(local); filter(f_local3a); destination(d_loghost5a); }; "'

 

 

 

71 12:00:21.300602 0.000000 172.28.16.50 192.168.206.96 Syslog LOCAL7.INFO: Jun 14 20:55:18 tulip root: test\n

 

geffryti_32102
Nimbostratus
Nimbostratus
Appreciate your help Nitass... it's working now... below is my working code....

 

 

Note: I removed the $DATE and $HOST entry since it's already part of the MSG header...

 

 

b syslog include '" filter f_local3a { facility(local3); }; template t_asm { template(\"<190> $MSGHDR$MSG\n\"); template_escape(no); }; destination d_loghost5a { udp(\"2.2.2.2\" port (514) template(t_asm)); }; log { source(local); filter(f_local3a); destination(d_loghost5a); }; "'

nitass
F5 Employee
F5 Employee
thanks for update and glad to hear it works now. :)

Jason_Rahm
Community Manager
Community Manager
Nice work, guys! I wrote up your solution:

 

 

http://devcentral.f5.com/weblogs/jason/archive/2011/06/20/changing-the-big-ip-default-syslog-ng-facilities.aspx Click Here

efftee_26336
Historic F5 Account
The equivalent tmsh syntax is modify sys syslog include "filter f_local3a { facility(local3); }; template t_asm { template(\"<190> $DATE $HOST $MSGHDR$MSG\\n\"); template_escape(no); }; destination d_loghost5a { udp(\"2.2.2.2\" port (514) template(t_asm)); }; log { source(local); filter(f_local3a); destination(d_loghost5a); }; " and if you want to log every message into one remote syslog facility I used this CLI modify sys syslog include "template t_asm { template(\"<190> $DATE $HOST $MSGHDR$MSG\\n\"); template_escape(no); }; destination d_loghost5a { udp(\"10.255.0.1\" port (514) template(t_asm)); }; log { source(local); destination(d_loghost5a); }; "

This command does not work fine.Please help.

Hem_66900
Cirrus
Cirrus

Can some one get me correct tmsh command that can modify log facility to local3 before sendind to syslog server in 12.0.0 HF2.

 

Hem_66900
Cirrus
Cirrus

Any help on this is greatly appreciated.

 

We want to send all syslogs from F5 devices to remote syslog server to facility local3.

 

Syslog server has different facilities. I would like to change the facility of these messages to 3 before f5 syslogs are sent to the syslog server.This will make sure all logs from F5 will go to a single file on syslog server in the name of local3 facility.Easy to manage logs that way on the syslog server.Otherwise logs are all over the place and we have a customized syslog server to write unique device types syslog to unique facility.

 

Please let me know for any additional information required.

 

From RFC3164, 190 = local7(informational), 158 = local3(informational). Severity is your choice though depending on how you want it handled at the remote syslog server end (152-159 are valid).

 

emergency alert critical error warning notice info debug kernel 0 1 2 3 4 5 6 7 user 8 9 10 11 12 13 14 15 mail 16 17 18 19 20 21 22 23 system 24 25 26 27 28 29 30 31 security 32 33 34 35 36 37 38 39 syslog 40 41 42 43 44 45 46 47 lpd 48 49 50 51 52 53 54 55 nntp 56 57 58 59 60 61 62 63 uucp 64 65 66 67 68 69 70 71 time 72 73 74 75 76 77 78 79 security 80 81 82 83 84 85 86 87 ftpd 88 89 90 91 92 93 94 95 ntpd 96 97 98 99 100 101 102 103 logaudit 104 105 106 107 108 109 110 111 logalert 112 113 114 115 116 117 118 119 clock 120 121 122 123 124 125 126 127 local0 128 129 130 131 132 133 134 135 local1 136 137 138 139 140 141 142 143 local2 144 145 146 147 148 149 150 151 local3 152 153 154 155 156 157 158 159 local4 160 161 162 163 164 165 166 167 local5 168 169 170 171 172 173 174 175 local6 176 177 178 179 180 181 182 183 local7 184 185 186 187 188 189 190 191