Updated...OK: apparently somewhere in the last 10 years since I looked at syslog-ng filters last, the "match" was deprecated for "message". So here's how I tested, and the results:
sys syslog {
include "
filter f_local0 {
facility(local0) and not message(\"abc abc\");
};
filter f_local0_custom {
facility(local0) and message(\"abc abc\");
};
destination d_customlog {
file(\"/var/log/customlog\" create_dirs(yes));
};
log {
source(local);
filter(f_local0_custom);
destination(d_customlog);
};
"
}
Then I slapped this iRule on a test virtual and hit it from my desktop:
when HTTP_REQUEST {
log local0. "abc abc"
log local0. "abc123 abc123"
HTTP::respond 200 content "<html><body>sylog test initiating...</body></html>"
}
And here are my logs:
[root@ltm3:Active:Standalone] config # grep abc /var/log/ltm
Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
[root@ltm3:Active:Standalone] config # grep abc /var/log/customlog
Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc
Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc
Updated...OK: apparently somewhere in the last 10 years since I looked at syslog-ng filters last, the "match" was deprecated for "message". So here's how I tested, and the results:
sys syslog {
include "
filter f_local0 {
facility(local0) and not message(\"abc abc\");
};
filter f_local0_custom {
facility(local0) and message(\"abc abc\");
};
destination d_customlog {
file(\"/var/log/customlog\" create_dirs(yes));
};
log {
source(local);
filter(f_local0_custom);
destination(d_customlog);
};
"
}
Then I slapped this iRule on a test virtual and hit it from my desktop:
when HTTP_REQUEST {
log local0. "abc abc"
log local0. "abc123 abc123"
HTTP::respond 200 content "<html><body>sylog test initiating...</body></html>"
}
And here are my logs:
[root@ltm3:Active:Standalone] config # grep abc /var/log/ltm
Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
[root@ltm3:Active:Standalone] config # grep abc /var/log/customlog
Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc
Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc
hmm...that's not working either. Let me play a little, might need some regex there. Is "a a" just a pattern template (ie, you'll need more other stuff?) or is it precisely "a a" you're trying to match?
seems the syslog-ng changes over the years have passed our content by! Use message and not match. I've updated (and tested successfully) my answer above. For all latest BIG-IP versions 12.x+, the current syslog-ng version is 3.8.1, so make sure you review their documentation for additional support with customized logging.
