Forum Discussion

mgateau's avatar
mgateau
Icon for Nimbostratus rankNimbostratus
Oct 22, 2020

Modifiy rfc5424 logs before sending them with hsl

Dear irule gurus,

I have set up via the offical doc "bigip-external-monitoring-implementations" encrypted syslog5424 logging to remote server.

It uses a local virtual server whose ip , is used as the pool member of logging destination object or hsl pool.

Then using logging profiles, log publishers and hsl filters, we can send all modules events and local tmos logs to remote servers in rfc5424 and encrypted !

My PB :

I would like as the RFC5424 allows , to insert new SD-ELEMENT in the logs before sending them.

I did not find any tmsh commands nor syslog-ng config that allows this feature.

So i tried with an irule based on TCP:collect, TCP:payload... but as events are not triggered for each logs sent internally, it does not work.

Logs sent by modules and syslog-ng to my local vs use tcp long time established sessions (as per HSL design i think ?? ).

I did not try using udp as i need encryption.

If you have any idea on how to do this i would be nice ?

Thanks for your feedbacks

 

2 Replies

  • Dear Hamish, sorry for this looooong delay.

    Thanks to your advice i have succeeded in parsing logs using STREAM feature.

    A great thanks.