NimbostratusI used the log IP for an irule and the log lines are still going to /var/log/ltm. I only want the output to skip /var/log/ltm/ and only output to the syslogs. Is that possible? Thanks
irule being used
when HTTP_RESPONSE {
log XX.XX.XXXXX:514 [HTTP::response]
}
MVPAs you are looking to do, /var/log/ltm should only be used for short term tshoot. To use syslog exclusively, and *quickly*, I would look at HSL: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-12-0-0/4.html. Use that instead.
NimbostratusThanks for this possible solution, but it is a bit more that what we want to setup right now. I just wanted to make sure I have the correct syntax to send the output of the iRule directly to the syslog we already have setup. When I run the iRule I see the output in both /var/log/ltm logs and on the syslog output, but I only want to see the output in the syslog. Thanks
MVPNot in front of computer at the moment, but you could simply change the severity in the irule log statement. Presumably under the syslog settings, you have default or some other setting to only log high level issues. If you change the severity, and it is less than that configured for logging to /var/log/ltm them it will not be written to disk.
MVPHere is the kb article: https://my.f5.com/manage/s/article/K13317.
The default facility used when using the 'log' statement in an irule is local0, or /var/log/ltm. So, maybe use facility 'info' which in theory should not be logged, depending on how your syslog is configured within the settings page.
So...
when HTTP_RESPONSE {
log local0.info XX.XX.XXXXX:514 [HTTP::response]
}
Alternatively, you can try also logging directly to the syslog IP hard coded in the iRule: https://clouddocs.f5.com/api/irules/log.html. So...
So...
when HTTP_RESPONSE {
log 192.168.1.1 local0.info XX.XX.XXXXX:514 [HTTP::response]
}
Where 192.168.1.1 is your SYSLOG server.
So a few more thoughts to maybe help you out.
