Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Send /var/log/ltm on syslog destination without AUDIT logs

Go to solution
bortega_340015
Nimbostratus
Nimbostratus

‎16-Apr-2019 08:56 - last edited on ‎01-Jun-2023 15:08 by Fog

Hello everyone,

I'm trying to filter just /var/log/ltm logs in F5 version 13.1.1.4, but with my configuration I can't filter the AUDIT logs, is still sending it to my syslog destination.

I configured this in syslog all-properties:

include " filter syslog_level { facility(local0) and level(debug..crit); };

filter no_audit {        not match ("AUDIT");    };

destination remote_server {
    udp(\"172.16.10.26\" port(4000));
};

log {
    source(local);
    filter(syslog_level);
    filter(no_audit);
    destination(remote_server);
};
"

But, when I tried to restart the service syslog-ng, shows the next message: WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please use a more specific filter like message() and/or program() instead.;

Any ideas how can I just receive /var/log/ltm on my syslog destination?

Thanks in advanced.

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
AMiles_377865
Cirrocumulus
Cirrocumulus

‎16-Apr-2019 14:03 - last edited on ‎01-Jun-2023 15:08 by Fog

Hello Berenice,

You're on the right track; your syntax is just a little off. Match now requires the use of "value()"

So I think something like 

filter no_audit { not match ( value=("AUDIT") );    };

Reference: Syslog Guide 3.0

Best of luck,

Austin

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
AMiles_377865
Cirrocumulus
Cirrocumulus

‎16-Apr-2019 14:03 - last edited on ‎01-Jun-2023 15:08 by Fog

Hello Berenice,

You're on the right track; your syntax is just a little off. Match now requires the use of "value()"

So I think something like 

filter no_audit { not match ( value=("AUDIT") );    };

Reference: Syslog Guide 3.0

Best of luck,

Austin

0 Kudos

Go to solution
bortega_340015
Nimbostratus
Nimbostratus
In response to AMiles_377865

‎17-Apr-2019 10:27

Hello Austin,

 

Thanks for your help. I modify the filter as you told me, but it shows a syntax error. However, your reference helps a lot. I find how to configure the filter like:

 

filter no_audit { not match (AUDIT value(MESSAGE) ); };

 

And it worked. Thanks.

 

0 Kudos

Go to solution
Andy-didnt-like-uucp
Cirrus
Cirrus

‎28-Aug-2023 12:19

Hello
did it change in 17.1*?

0 Kudos
Copyright © 2023 Khoros, LLC