Tim_92618
Aug 31, 2012Nimbostratus
syslog filtering
we are trying to modify our syslog to get just warning and emergency level notifications, but all of the filters we have tried are not working.
modify syslog {
auth-priv-from warning
auth-priv-to emerg
cron-from warning
cron-to emerg
daemon-from warning
daemon-to emerg
description none
include "
filter f_remote_loghost {
level(warn..emerg);
};
filter f_local6_httpd_ssl_acc {
facility(local6)
and match(\"\\[ssl_acc\\]\") and not match(\"\\] 172.30.x.x\"); };
filter f_local6_httpd_ssl_req {
facility(local6)
and match(\"\\[ssl_req\\]\") and not match(\"\\] 172.30.x.x\"); };
destination d_remote_loghost {
udp(\"172.30.y.y\" port(514));
};
log {
source(s_syslog_pipe);
filter(f_remote_loghost);
filter(f_local6_httpd_ssl_acc);
filter(f_local6_httpd_ssl_req);
destination(d_remote_loghost);
};
"
iso-date disabled
kern-from warning
kern-to emerg
mail-from warning
mail-to emerg
messages-from warning
messages-to warning
remote-servers replace-all-with {
remotesyslog1 {
description none
host 172.30.y.y
local-ip none
remote-port 514
}
}
user-log-from warning
user-log-to emerg
sol11723: Filtering log messages sent to remote syslog servers (9.4.x - 10.x)
http://support.f5.com/kb/en-us/solutions/public/11000/700/sol11723.html
We have tried the syslog include statements from many articles and yet the informational, debug, and notice events are still forwarding. It seems this should be a basic functionality of the LTM so any assistance would be appreciated.your syslog include command is correct but the wrong is remotesyslog1. since you use syslog include, you do not need to have remotesyslog1. remove it and it will work. :-)
sol11723: Filtering log messages sent to remote syslog servers (9.4.x - 10.x)
http://support.f5.com/kb/en-us/solutions/public/11000/700/sol11723.html
We have tried the syslog include statements from many articles and yet the informational, debug, and notice events are still forwarding. It seems this should be a basic functionality of the LTM so any assistance would be appreciated.your syslog include command is correct but the wrong is remotesyslog1. since you use syslog include, you do not need to have remotesyslog1. remove it and it will work. :-)
In case anyone else had issues, I used this to suppress ssl_rec and ssl_acc and hopefully still getting the rest from info to emerg.
modify syslog {
auth-priv-from warning
auth-priv-to emerg
console-log enabled
cron-from warning
cron-to emerg
daemon-from notice
daemon-to emerg
description none
include "
filter f_remote_loghost {
level(info..emerg);
};
filter f_ssl_acc_req {
not (facility(local6) and level(info) and match('[ssl_acc\\]')) or
not (facility(local6) and level(info) and match('[ssl_req\\]'));
};
destination d_remote_loghost {
udp(\"192.168.2.102\" port(514));
};
log {
source(s_syslog_pipe);
filter(f_remote_loghost);
filter(f_ssl_acc_req);
destination(d_remote_loghost);
};
"
iso-date disabled
kern-from notice
kern-to emerg
local6-from notice
local6-to emerg
mail-from notice
mail-to emerg
messages-from notice
messages-to warning
remote-servers none
user-log-from notice
user-log-to emerg
}
Here is my syslog after
<85>Jan 31 14:51:06 f5 notice httpd[9697]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 13:02:13 2014" end="Fri Jan 31 14192.168.2.331/01 14:51:06.764
<133>Jan 31 14:51:06 f5 notice httpd[9697]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 13:02:13 2014" end="Fri Jan 31 1192.168.2.331/01 14:51:06.767
<85>Jan 31 14:51:12 f5 notice httpd[16433]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 14:51:12 2014". 192.168.2.331/01 14:51:12.124 <133>Jan 31 14:51:12 f5 notice httpd[16433]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=192.168.2.102 attempts=1 start="Fri Jan 31 14:51:12 2014". 192.168.2.331/01 14:51:12.126
<133>Jan 31 14:51:58 f5 notice tmsh[8254]: 01420002:5: AUDIT - pid=8254 user=root folder=/Common module=(tmos) status=[edit canceled] cmd_data=edit /sys syslog all-properties 192.168.2.331/01 14:51:58.087
<78>Jan 31 14:52:01 f5 info crond[18300]: (syscheck) CMD (/usr/bin/system_check -q) 192.168.2.331/01 14:52:01.351
<133>Jan 31 14:52:02 f5 notice tmsh[8254]: 01420002:5: AUDIT - pid=8254 user=root folder=/Common module=(tmos) status=[Command OK] cmd_data=save /sys config 192.168.2.331/01 14:52:02.313
<133>Jan 31 14:52:27 f5 notice tmsh[8254]: 01420002:5: AUDIT - pid=8254 user=root folder=/Common module=(tmos) status=[edit canceled] cmd_data=edit /sys syslog all-properties 192.168.2.331/01 14:52:27.314
<78>Jan 31 14:54:01 f5 info crond[18547]: (syscheck) CMD (/usr/bin/system_check -q) 192.168.2.331/01 14:54:01.413
<78>Jan 31 14:55:01 f5 info crond[18665]: (root) CMD (/usr/lib/sa/sa1) 192.168.2.331/01 14:55:01.446
<78>Jan 31 14:56:01 f5 info crond[18779]: (syscheck) CMD (/usr/bin/system_check -q) 192.168.2.331/01 14:56:01.486