Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

How to configrue syslog include "space"

Go to solution
neeeewbie
MVP
MVP

‎11-Nov-2021 21:37

Hi guys 

 

I need your help !!! 

 

 

 

I have to configure syslog filter but space area does not enter the configuration

 

ex) and not match (aaa) >>> it is possible 

 

    and not match (a a) >>>>> it is not possible

 

 

 

I guess it is relate to space area 

 

so, how to configure include "space" ?

 

 

 

thank you

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
JRahm
Community Manager
Community Manager

‎12-Nov-2021 14:17 - last edited on ‎04-Jun-2023 19:15 by Fog

Updated...OK: apparently somewhere in the last 10 years since I looked at syslog-ng filters last, the "match" was deprecated for "message". So here's how I tested, and the results:

sys syslog {
    include "
filter f_local0 {
   facility(local0) and not message(\"abc abc\");
};
filter f_local0_custom {
   facility(local0) and message(\"abc abc\");
};
destination d_customlog {
   file(\"/var/log/customlog\" create_dirs(yes));
};
log {
   source(local);
   filter(f_local0_custom);
   destination(d_customlog);
};
"
}

Then I slapped this iRule on a test virtual and hit it from my desktop:

when HTTP_REQUEST {
  log local0. "abc abc"
  log local0. "abc123 abc123"
  HTTP::respond 200 content "<html><body>sylog test initiating...</body></html>"
}

And here are my logs:

[root@ltm3:Active:Standalone] config # grep abc /var/log/ltm
Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
[root@ltm3:Active:Standalone] config # grep abc /var/log/customlog
Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc
Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
JRahm
Community Manager
Community Manager

‎12-Nov-2021 14:17 - last edited on ‎04-Jun-2023 19:15 by Fog

Updated...OK: apparently somewhere in the last 10 years since I looked at syslog-ng filters last, the "match" was deprecated for "message". So here's how I tested, and the results:

sys syslog {
    include "
filter f_local0 {
   facility(local0) and not message(\"abc abc\");
};
filter f_local0_custom {
   facility(local0) and message(\"abc abc\");
};
destination d_customlog {
   file(\"/var/log/customlog\" create_dirs(yes));
};
log {
   source(local);
   filter(f_local0_custom);
   destination(d_customlog);
};
"
}

Then I slapped this iRule on a test virtual and hit it from my desktop:

when HTTP_REQUEST {
  log local0. "abc abc"
  log local0. "abc123 abc123"
  HTTP::respond 200 content "<html><body>sylog test initiating...</body></html>"
}

And here are my logs:

[root@ltm3:Active:Standalone] config # grep abc /var/log/ltm
Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
Nov 19 09:22:36 ltm3.test.local info tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc123 abc123
[root@ltm3:Active:Standalone] config # grep abc /var/log/customlog
Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc
Nov 19 09:22:36 tmm1 tmm1[12240]: Rule /Common/syslog_match_test <HTTP_REQUEST>: abc abc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

Go to solution
neeeewbie
MVP
MVP
In response to JRahm

‎19-Nov-2021 00:02

this setting does not working

0 Kudos

Go to solution
JRahm
Community Manager
Community Manager
In response to neeeewbie

‎19-Nov-2021 06:09

forgot to escape the quotes, sorry.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

Go to solution
JRahm
Community Manager
Community Manager
In response to neeeewbie

‎19-Nov-2021 06:37

hmm...that's not working either. Let me play a little, might need some regex there. Is "a a" just a pattern template (ie, you'll need more other stuff?) or is it precisely "a a" you're trying to match?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

Go to solution
JRahm
Community Manager
Community Manager
In response to neeeewbie

‎19-Nov-2021 07:29

seems the syslog-ng changes over the years have passed our content by! Use message and not match. I've updated (and tested successfully) my answer above. For all latest BIG-IP versions 12.x+, the current syslog-ng version is 3.8.1, so make sure you review their documentation for additional support with customized logging.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos
Copyright © 2023 Khoros, LLC