Forum Discussion

adam_rothschild's avatar
adam_rothschild
Icon for Nimbostratus rankNimbostratus
Oct 20, 2015

irule to send to syslog and not write to log file

I would like an irule that sends to a syslog server rather than write the log to any logfile locally. So far I can get my log in /var/log/ltm and the syslog server that the box has set as the remote ...
application delivery
devops
iRules
LTM
Brad_Parker's avatar
Brad_Parker
Icon for Cirrus rankCirrus
Oct 20, 2015

Don't write to the local 

log
with the log command. Use HSL, https://devcentral.f5.com/wiki/iRules.HSL.ashx

when SERVER_CONNECTED {
    set hsl [HSL::open -proto UDP -pool ]
    HSL::send $hsl "[IP::client_addr], [IP::local_addr], [IP::server_addr]"
}
when SERVER_CLOSED {
    HSL::send $hsl "[IP::local_addr], [IP::server_addr]"
}
  • adam_rothschild's avatar
    adam_rothschild
    Icon for Nimbostratus rankNimbostratus
    Oct 20, 2015
    Is there any dependency for the syslog server set in the pool above to accept HSL? Reason I ask is that I see my irule taking hits in statistics, but never see the log in syslog.
  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Oct 20, 2015
    Your syslog pool should contain a syslog server that is setup to receive syslogs on the configured port with the proto in HSL::open(UDP or TCP). Also, TMM needs to have a route or L2 access to that syslog server.
  • adam_rothschild's avatar
    adam_rothschild
    Icon for Nimbostratus rankNimbostratus
    Oct 20, 2015
    Ok, i have a mgmt route and i see the connection. It doesnt feel correct being that the soruorce (10.32.92.6) is a self IP of the device and not sure about the any6.any. Maybe I'm not correct about that. any6.any any6.any 10.32.92.6:39519 10.17.56.14:514 udp 11 (slot/tmm: 1/1) none sys management-route 10.17.56.14/32 { gateway 10.32.92.1 network 10.17.56.14/32 }
  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Oct 20, 2015
    You see the source from a self-IP because it is coming from TMM not the mgmt. It just happens to be routing through your mgmt interface. I would create a traffic route in TMM rather than routing this through your management interface. HSL actually is sending the logs from TMM not syslog-ng like the management linux kernel. You can have a route in both routing tables if you are planning on sending syslogs from both the system and your iRule.
  • adam_rothschild's avatar
    adam_rothschild
    Icon for Nimbostratus rankNimbostratus
    Oct 21, 2015
    Awesome, I am almost there. Last step is i need a few extra fields to appear in the log sent via HSL. Currently HSL sends just this info in the syslog message "10.222.146.177, 10.62.239.11, 10.62.234.30", which i need. When I was logging to local0. I also got this syslog message "Oct 15 16:42:38 slot1/F5-DEVICE-NAME-1 info tmm1[25855]: Rule /Common/snatmatch : 10.222.146.177, 10.62.239.11, 10.62.234.30" I am now looking for the field names to match up to the other parts of the syslog message and add then into the HSL fields. I have not found a reference guide just yet.
  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Oct 21, 2015
    What you will probably want to do is to play with creating a log publisher, remote syslog destination, which forwards to a remote High-Speed Log destination. That should help get the format you are wanting, then you can tweak your message as you see fit. Then you can use your created publisher in your HSL::open command. https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-11-5-0/2.html