Tim_92618
Aug 31, 2012Nimbostratus
syslog filtering
we are trying to modify our syslog to get just warning and emergency level notifications, but all of the filters we have tried are not working.
In case anyone else had issues, I used this to suppress ssl_rec and ssl_acc and hopefully still getting the rest from info to emerg.
modify syslog {
auth-priv-from warning
auth-priv-to emerg
console-log enabled
cron-from warning
cron-to emerg
daemon-from notice
daemon-to emerg
description none
include "
filter f_remote_loghost {
level(info..emerg);
};
filter f_ssl_acc_req {
not (facility(local6) and level(info) and match('[ssl_acc\\]')) or
not (facility(local6) and level(info) and match('[ssl_req\\]'));
};
destination d_remote_loghost {
udp(\"192.168.2.102\" port(514));
};
log {
source(s_syslog_pipe);
filter(f_remote_loghost);
filter(f_ssl_acc_req);
destination(d_remote_loghost);
};
"
iso-date disabled
kern-from notice
kern-to emerg
local6-from notice
local6-to emerg
mail-from notice
mail-to emerg
messages-from notice
messages-to warning
remote-servers none
user-log-from notice
user-log-to emerg
}
Here is my syslog after
<85>Jan 31 14:51:06 f5 notice httpd[9697]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 13:02:13 2014" end="Fri Jan 31 14192.168.2.331/01 14:51:06.764
<133>Jan 31 14:51:06 f5 notice httpd[9697]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 13:02:13 2014" end="Fri Jan 31 1192.168.2.331/01 14:51:06.767
<85>Jan 31 14:51:12 f5 notice httpd[16433]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 14:51:12 2014". 192.168.2.331/01 14:51:12.124 <133>Jan 31 14:51:12 f5 notice httpd[16433]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 14:51:12 2014". 192.168.2.331/01 14:51:12.126
<133>Jan 31 14:51:58 f5 notice tmsh[8254]: 01420002:5: AUDIT - pid=8254 user=root folder=/Common module=(tmos) status=[edit canceled] cmd_data=edit /sys syslog all-properties 192.168.2.331/01 14:51:58.087
<78>Jan 31 14:52:01 f5 info crond[18300]: (syscheck) CMD (/usr/bin/system_check -q) 192.168.2.331/01 14:52:01.351
<133>Jan 31 14:52:02 f5 notice tmsh[8254]: 01420002:5: AUDIT - pid=8254 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=save /sys config 192.168.2.331/01 14:52:02.313
<133>Jan 31 14:52:27 f5 notice tmsh[8254]: 01420002:5: AUDIT - pid=8254 user=root folder=/Common module=(tmos) status=[edit canceled] cmd_data=edit /sys syslog all-properties 192.168.2.331/01 14:52:27.314
<78>Jan 31 14:54:01 f5 info crond[18547]: (syscheck) CMD (/usr/bin/system_check -q) 192.168.2.331/01 14:54:01.413
<78>Jan 31 14:55:01 f5 info crond[18665]: (root) CMD (/usr/lib/sa/sa1) 192.168.2.331/01 14:55:01.446
<78>Jan 31 14:56:01 f5 info crond[18779]: (syscheck) CMD (/usr/bin/system_check -q) 192.168.2.331/01 14:56:01.486