Careful, that link is from an unsupported version. These are some updated guides.

K13333: Filtering log messages sent to remote syslog servers (11.x - 15.x) 
K13080: Configuring the BIG-IP system to log to a remote syslog server (11.x - 16.x) 

The point is not how configure syslog, the point is configure syslog to include specific string on /var/log/ltm.

You are exactly right

you should follow the guide that I share with you, it looks probably to help you with your requirement, if not, share what string do you want exactly to add.

Actually, I want to include expired Ssl certification log on /var/log/ltm to syslog. I try to test some solutions on devcentral, but there are many of different suggestions and make me confused 😞

I need to filter and include some log lines contained string 'expire' to syslog 

Ok, but it looks easy, there are native configurations that you can apply to meet your requirement:

This is one on the crontab daemon executed every day:

https://support.f5.com/csp/article/K14318

You can send alert by email, or monitor by SNMP the F5:

https://support.f5.com/csp/article/K15288

You can be create a filter to matches a specific message-id and transmits it to the local-syslog log publisher.

tmsh create /sys log-config publisher local-syslog destinations add { local-syslog }
tmsh create /sys log-config filter filter_cert_will_expire message-id 01420008 publisher local-syslog
tmsh create /sys log-config filter filter_cert_expired message-id 01420007 publisher local-syslog

Hi @Jiwook ,

In that case, you could check this article which discusses the built-in SSL certificate expiration monitoring. The check-cert utility runs weekly and does create log messages regarding the certificates. I checked in my own environment and did see the messages get logged to syslog.

K14318: Monitoring SSL certificate expiration on the BIG-IP system (11.x - 16.x)

The messages would look similar to this:

01420008:4: Certificate 'CN=host.example.com' in file /Common/host.example.com.crt will expire on Mar 20 23:59:59 2022 GMT

Thanks,
Josh

Same Article that I shared before.

Please use caution with older guides. The guide you mentioned uses "bigpipe" or b shell commands, which were deprecated some time ago and won't work in recent versions.

Same Article that I shared before.

This is one on the crontab daemon executed every day:

https://support.f5.com/csp/article/K14318

@Sebastiansierra my apologies, I did not notice that you had pasted the same article previously.