F5 APM Syslog-NG parser
Hello everybody, I use the VPN big-ip Edge client F5 and I would like to generate a log with all theses session variables "session.ldap.last.attr.userPrincipalName + session.check_machinecert.last.cert.subject + session.assigned.clientip". My problem is that the "session.assigned.clientip" isn't populate in the session variable so I can't use a log message to make a custom log with all of theses values. So my question is , is it possible to parse theses logs with syslog-ng and concatenate all the syslog trame with the session ID ? and forward the log concatenated to an another syslog instance ? Don't know if my question is very undertandable ? Regards, Miguel
Need help on syslog cli configuration
Hello team , I have to correct the syslog config with below commands , will there be any impact of running the below commands , Which list commad I can run to perform pre-checks and how to confirm if the configuration working correctly post implementation ? what is the use of both the commands ? tmsh modify sys syslog {include "destination remote_server {tcp(10.10.10.8 port (1528));};filter f_alllogs {level (debug...emerg);};log {source(local);filter(f_alllogs);destination(remote_server);};options {use_fqdn(yes); keep_hostname(yes);};" tmsh modify sys syslog {remote-servers replace-all-with {remotesyslog1 {host 10.1.20.1 local-ip 192.168.101.1 remote-port 5528} remotesyslog2 {host 10.2.20.1 local-ip 192.168.101.1??? remote-port 5528}}}
Can BIG-IQ forward ASM event log which receive from BIG-IP to syslog server?
Hi Right now we have all BIG-IP send ASM event log to BIG-IQ. Question is Can BIG-IQ forward ASM event log which receive from BIG-IP to syslog server? or I need to config on each BIG-IP to send ASM event log to both (BIG-IQ and syslog server) instead.
iRule to log HTTP Request
Hello, I have two F5 Big-IP: 1 * BIG-IP 11.4.1 Build 647.0 Hotfix HF4 1 * BIG-IP 10.2.4 Build 817.0 Hotfix HF7 I want to setup logging for HTTP traffic. On the first F5 (11.4), no problem. I have created a request logging profile with this template: $DATE_NCSA client=$CLIENT_IP:$CLIENT_PORT request=$HTTP_REQUEST virtual-server=$VIRTUAL_NAME($VIRTUAL_IP:$VIRTUAL_PORT) member=$SERVER_IP:$SERVER_PORT On the second F5 (10.2), it is more complicated since the "Request logging profile" does not exist.. And i can't upgrade the device. I decided to create an iRule which produce a log with the same format (HTTP request).. But i don't know how to do.. Especially to generate "$DATE_NCSA" through the irule. Any help would be very appreciated ! 🙂 Thanks PS: please excuse my english 🐵
Log the count of the STREAM hits
I'm trying to figure out how it will be possible, how many times a STREAM::expression is being executed. when HTTP_RESPONSE { if { $http_host equals "avv.com" or $http_host equals "acc.com" }{ STREAM::expression "@aa@bb@" STREAM::expression "@rr@ff" STREAM::expression "@gg@qaqa@" STREAM::enable log local0. "RESPONSE: $http_host to IP: [IP::client_addr]" } } So in the log i want to see like: Total STREAM hit 80 (40aa - 20rr - 20gg)Pool status in Splunk for F5 Networks
Hi all, I made some tests on Splunk with the 11.5.0 TMOS version. My tests were on AFM, LTM and also syslog events. LTM (with the iRule included) and AFM work fine, but for syslog events there's something wrong. If you want to have your pool status statistics on your Splunk, you have to parse syslog events. But those events have changed with the 11.5.0 version so here is the newest regex you'll need. /\]:\s(........:.):\sPool\s(\S+)\smember\s(\S+)\smonitor\sstatus\s(\S+)\.\s?\[?\s?(?:\S+)?\:?\s?(?:\S+)?\s?\]?\s+?\[\swas\s(\S+)\sfor\s(\S+)/ This regex goes to /opt/splunk/etc/apps/SplunkforF5Networks/default/transforms.conf under [f5-syslog-eventcode] I still have something missing into my Splunk configuration because I don't have all my pool status. If anybody has already play with it, could you tell me where I'm wrong ? Thanks.
BIG-IP send all syslog messages as local5 facility
Hello Devs! Our client wants every syslog message sent by the BIG-IP to be on local5 facility. I understand that this is not the behavior of syslog-ng. But is it possible? I tinkered around the syslog options and could not find this option, not even on the CLI (we are running v15.1.0.5). They're trying to emulate a Netscaler config add audit syslogAction AUDIT_SRV_SYSLOG 1.2.3.4 -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE -dateFormat DDMMYYYY -logFacility LOCAL5 -timeZone LOCAL_TIME This config sends all the messages to syslog server 1.2.3.4 as local5. Thanks, Rafael.
TCP Rewrite Rule used in Syslog TCP
Hi Dev/Central community! I've a SIEM with two syslog/tcp recievers (Let's name it R1 and R2). I 've created a VS to listen a 514/TCP, recieve the Syslog TCP message and send it to R1. In case R1 is down, the VS will send the Syslog TCP message to R2. As my SIEM assign a tag to each message recieved with the client IP, I need to rewrite the syslog message before send it to the R1 or R2 receivers (because I see the f5 self ip as client IP in the recievers). So, I've writed an iRule to rewrite the header of each syslog message before send it. this is my irule so far: when CLIENT_ACCEPTED { # Tomo la IP del cliente que se conecta al VS / Get the client IP connecting to the VS set ip_original [IP::remote_addr] # Tomo el Payload y la paso al siguiente nivel / Get the tcp payload to send it to Client Data TCP::collect log local0. "Client Accepted from $ip_original" } when CLIENT_DATA { set OrgininalTCPLength [TCP::payload length] # Primer <PRI> del payload / Try to detect <PRI> header in very first payload bytes regsub {^<\d+>} [TCP::payload] "\[\]\[\]\[$ip_original\]\[[clock seconds]\]\[\] " string # CRLF 0d0a \r\n + <PRI> / Look for another syslog message in the same TCP Payload regsub -all {\r\n<\d+>} $string "\r\n\[\]\[\]\[$ip_original\]\[[clock seconds]\]\[\] " string set len [TCP::payload length] TCP::payload replace 0 $len $string set ModifiedTCPLength [TCP::payload length] # Se pasa el Payload al siguiente nivel / Send the modified payload to the next level log local0. "Forwarindg message from $ip_original \t original length: $OrgininalTCPLength \t modified length: $ModifiedTCPLength" TCP::release #Preparo una nueva recoleccion / Get ready for a new collection TCP::collect } The iRule works like a charm, but in some very little times, it seem to doesn't rewrite the message... Any clue/ideas/troubleshooting tips? Regards, Max