Forum Discussion

wixxyl_98682's avatar
wixxyl_98682
Icon for Nimbostratus rankNimbostratus
Oct 04, 2012

Best practices for syslog

Dev,

 

I'm trying to figure out what we should be logging and how to adjust the logging for our syslog server. Has anyone seen a performance hit from the logging? I'd also like some insight into the HSL, but I need to get basic logging working to begin with before I go down that road. I've found the logging documentation for V11.2 to be kinda sparse, so I'm turning to Dev for some insight on what you guys are logging, how I can make the correct choices on what to log, etc. I've got syslog set up and it's logging somewhat correctly, however I'm seeing a lot of messages coming from Cron:

 

Oct 3 00:25:01 boydf5 debug crond[14048]: pam_unix(crond:session): session opened for user root by (uid=0)

 

Oct 3 00:25:01 boydf5 info crond[14049]: (root) CMD (/usr/lib/sa/sa1)

 

Oct 3 00:25:01 boydf5 debug crond[14048]: pam_unix(crond:session): session closed for user root

 

Oct 3 00:26:01 boydf5 debug crond[14050]: pam_unix(crond:session): session opened for user syscheck by (uid=0)

 

and I'm not really sure how to stop them. These logs are roughly 90% of what's being logged, and I don't see a need for them to be logged anywhere. I'm also seeing my machine requesting and receiving the SSL cert from the F5, and that's not really that important to me. I'm more concerned with tracking a security incident and making sure I've done my own CYA so there can't be any blame on me for not having the info I need. I've tweaked everything to the level I think it should be at, unless I'm looking at it incorrectly. I'm pasting in my syslog config to verify the settings are correct, and see if anyone has any suggestions. Thanks for the help!

 

sys syslog {

 

auth-priv-from notice

 

auth-priv-to emerg

 

console-log disabled

 

cron-from err

 

cron-to err

 

daemon-from notice

 

daemon-to emerg

 

description Boyd-F5-01

 

include none

 

iso-date disabled

 

kern-from notice

 

kern-to emerg

 

local6-from notice

 

local6-to emerg

 

mail-from notice

 

mail-to emerg

 

messages-from notice

 

messages-to warning

 

remote-servers {

 

remotesyslog1 {

 

description none

 

host XXX.XXX.XXX.XXX

 

local-ip XXX.XXX.XXX.XXX

 

remote-port XXX

 

}

 

}

 

user-log-from emerg

 

user-log-to emerg

 

}

 

management
monitoring

4 Replies

Sort By
  • wixxyl_98682's avatar
    wixxyl_98682
    Icon for Nimbostratus rankNimbostratus
    Oct 04, 2012
    Very good resources, thank you very much. I'm not really a Linux guy, so the underlying interface is taking some getting used to. Any insight in to where those specific messages are being logged from, I've checked against the documentation and compared it with my own config, but I just don't know if I'm missing something. Do I need to restart the syslog function? I've not spent much time dealing with syslog(pretty obvious) so I want to get it right.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 04, 2012
    Oct 3 00:25:01 boydf5 debug crond[14048]: pam_unix(crond:session): session opened for user root by (uid=0)

     

    Oct 3 00:25:01 boydf5 info crond[14049]: (root) CMD (/usr/lib/sa/sa1)

     

    Oct 3 00:25:01 boydf5 debug crond[14048]: pam_unix(crond:session): session closed for user root

     

    Oct 3 00:26:01 boydf5 debug crond[14050]: pam_unix(crond:session): session opened for user syscheck by (uid=0)those messages are from remotesyslog1 configuration (in case of gui, it is system > configuration > remote logging).

     

     

    sorry i just noticed you are running 11.x.

     

     

    The default syslog levels defined for the BIG-IP system logs apply to only local logs; the syslog levels do not apply to remote syslog servers that were defined using the tmsh modify /sys syslog remote-servers command.sol13333: Filtering log messages sent to remote syslog servers (11.x)

     

    http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13333.html
  • wixxyl_98682's avatar
    wixxyl_98682
    Icon for Nimbostratus rankNimbostratus
    Oct 05, 2012
    Okay, so I've tested in my virtual environment and that link you gave me has it spot on. It was logging every time the system ran the scheduled job to poll for syslog, and created a log. The fact that the local logging levels aren't carried over to remote logging is strange to me, but, I guess it makes sense to somebody. :) I did pretty much what the filter was in the link and it seems to be working right. so now when I do "tmsh list sys syslog all-properties", I get:

     

     

    modify syslog {

     

    auth-priv-from notice

     

    auth-priv-to emerg

     

    cron-from warning

     

    cron-to emerg

     

    daemon-from notice

     

    daemon-to emerg

     

    description none

     

    include "

     

    filter f_remote_loghost {

     

    level(warn..emerg);

     

    };

     

     

    destination d_remote_loghost {

     

    udp(\"xx.xx.xx.xx\" port(514));

     

    };

     

     

    log {

     

    source(s_syslog_pipe);

     

    filter(f_remote_loghost);

     

    destination(d_remote_loghost);

     

    };

     

    "

     

    iso-date disabled

     

    kern-from notice

     

    kern-to emerg

     

    mail-from notice

     

    mail-to emerg

     

    messages-from notice

     

    messages-to warning

     

    remote-servers none

     

    user-log-from notice

     

    user-log-to emerg

     

    }

     

     

    without all of the unnecessary things coming through. Thanks very much for the help Nitass you are the best!!