fillstrsoh_2962
Dec 12, 2008Nimbostratus
tmm entries for syslog
When tmm logs to our remote syslog-ng servers but the entries show up as coming from tmm instead of the IP/hostname of the actual system. Since we have multiple Big-IPs the tmm entries from multiple machines are collected in one file instead of the file specific to that machine. See examples that are from two separate Big-IPs:
Dec 11 04:39:56 tmm tmm[3793]: Rule v3vvv_irule : ,clnt_ip=10.100.x.x,clnt_port=1060,loc_ip=10.100.x.x,loc_port=80,uri=/,http_redirect=https://v3vvv/v3vvv/app
Dec 11 06:26:15 tmm tmm[1094]: Rule oit_forced_route : Sending Traffic to 12.146.x.x through OIT router
We were able to modify the syslog-ng.conf file of the syslog server we manage so that the tmm entries log to the appropriate files. We also send logs to a MSSP syslog server which is seeing the tmm entries as described above. Is there a change on the Big-IPs that can be made so that the tmm entries show the IP/hostname that they are coming from?
It looks like this is happening on two Big-IP LTM units (version 9.3.1 build 46.7) and two Big-IP ASM units (version 9.4.5 Build 1086.1 HF2).
F5 support responded, "The only way to do this on the BigIPs would be to use the 'bigpipe syslog include' command and create a filter on the LTM's config. But this is outside the scope of what we cover here in support."
Any help creating this filter would be greatly appreciated.
Thanks,
Mark