tmm entries for syslog

Question

When tmm logs to our remote syslog-ng servers but the entries show up as coming from tmm instead of the IP/hostname of the actual system. Since we have multiple Big-IPs the tmm entries from multiple machines are collected in one file instead of the file specific to that machine. See examples that are from two separate Big-IPs:  
&nbsp;  
&nbsp; Dec 11 04:39:56 tmm tmm[3793]: Rule v3vvv_irule : ,clnt_ip=10.100.x.x,clnt_port=1060,loc_ip=10.100.x.x,loc_port=80,uri=/,http_redirect=https://v3vvv/v3vvv/app  
&nbsp;  
&nbsp; Dec 11 06:26:15 tmm tmm[1094]: Rule oit_forced_route : Sending Traffic to 12.146.x.x through OIT router  
&nbsp;  
&nbsp; We were able to modify the syslog-ng.conf file of the syslog server we manage so that the tmm entries log to the appropriate files. We also send logs to a MSSP syslog server which is seeing the tmm entries as described above. Is there a change on the Big-IPs that can be made so that the tmm entries show the IP/hostname that they are coming from?  
&nbsp;  
&nbsp; It looks like this is happening on two Big-IP LTM units (version 9.3.1 build 46.7) and two Big-IP ASM units (version 9.4.5 Build 1086.1 HF2). 
&nbsp;  
&nbsp; F5 support responded, "The only way to do this on the BigIPs would be to use the 'bigpipe syslog include' command and create a filter on the LTM's config. But this is outside the scope of what we cover here in support." 
&nbsp;  
&nbsp; Any help creating this filter would be greatly appreciated. 
&nbsp;  
&nbsp; Thanks, 
&nbsp;  
&nbsp; Mark 
&nbsp;

hooleylist · Answer

Hi Mark, 
&nbsp;  
&nbsp; I think you can modify syslog-ng to insert an arbitrary string in log messages: 
&nbsp;  
&nbsp;  
&nbsp; https://lists.balabit.hu/pipermail/syslog-ng/2006-January/008385.html 
&nbsp;  
&nbsp; I don't know if it's pretty, but I've used this kind of thing: 
&nbsp;  
&nbsp; destination d_insert_txt { 
&nbsp; tcp("10.0.0.8" port(5140) 
&nbsp; template("$DATE $SOURCEIP $MESSAGE - service xyz for user root
")  
&nbsp; template-escape(no) 
&nbsp; ); 
&nbsp; }; 
&nbsp;  
&nbsp; filter f_ssh_root_login { 
&nbsp; program("sshd") and 
&nbsp; match("Accepted keyboard-interactive/pam for root"); 
&nbsp; }; 
&nbsp;  
&nbsp; log {    
&nbsp;         source(local); 
&nbsp;         filter(f_ssh_root_login); 
&nbsp;         destination(d_insert_txt); 
&nbsp; }; 
&nbsp;  
&nbsp; This sends it over a TCP stream, but you can modify it to use a file 
&nbsp; pretty easily. 
&nbsp; &nbsp; 
&nbsp;  
&nbsp; I wasn't sure if the b syslog utility would allow the use of the template statement, but there is what looks like a very comprehensive example (to send email) which uses templates in the Codeshare from lrhazi: 
&nbsp;  
&nbsp; Syslog-ng Email Configuration (9.4.2+): 
&nbsp; http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/SyslogNGEmailConfiguration.html 
&nbsp;  
&nbsp; This should be easier on 9.3.1 if you don't have to go through the b syslog utility to modify the syslog-ng configuration file. 
&nbsp;  
&nbsp; Here are some references on using templates in syslog-ng: 
&nbsp;  
&nbsp; Macros: variables for date, hostname, etc (Click here) 
&nbsp;  
&nbsp; Templates: (Click here) 
&nbsp;  
&nbsp; And here is a good FAQ for syslog-ng (campin.net - Click here) 
&nbsp;  
&nbsp; Aaron

fillstrsoh_2962 · Answer

Aaron, 
&nbsp;  
&nbsp; Does syslog-ng get the host portion of this information "Dec 11 04:39:56 tmm tmm" from /etc/hosts? If so would it be possible to modify /etc/hosts so that [127.1.1.2   tmm] would also have the system name as such [127.1.1.2   tmm  silver.strsoh.org] so that the output would look like this "Dec 11 04:39:56 silver tmm"?  
&nbsp;  
&nbsp; Also there is an interesting post that describes new features in syslog-ng version 3 that will do exactly what I need. 
&nbsp;  
&nbsp; http://bazsi.blogs.balabit.com/2008_11_01_archive.html 
&nbsp;  
&nbsp; Thanks for the information you provided. 
&nbsp;  
&nbsp; Mark

fillstrsoh_2962 · Answer

Aaron, 
&nbsp;  
&nbsp; Aside from the entry being overwritten during an upgrade, do you forsee any system issues, on either LTM or ASM, as a result of editing /etc/hosts?  
&nbsp;  
&nbsp; Thanks, 
&nbsp;  
&nbsp; Mark

hooleylist · Answer

Hi Mark, 
&nbsp;  
&nbsp; Actually, it looks like syslog-ng 3.0 was released already... 
&nbsp;  
&nbsp; A test box didn't fall over immediately upon changing the host file entry.  And you'd leave tmm listed as a host for 127.2.0.2.  It would just mean that 127.2.0.2 ad the other tmm IP's wouldn't have tmm listed first.  I suspect this wouldn't cause any issues, but it would make sense to double check this with F5 Support.  They'll probably tell you it's not a supported change.  But if you explain why you want to do it, they might be willing to check into any possible problems with it.  You could open a request for enhancement at the same time asking them to include the hostname for all loopback IP's. 
&nbsp;  
&nbsp; Aaron

hooleylist · Answer

Hi Mark, 
&nbsp;  
&nbsp; If you're still following this post, did you end up using either option?  If so, did you have any success? 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Aaron

Forum Discussion

tmm entries for syslog

7 Replies

Recent Discussions

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

Related Content

Modifying multiple entries in a datagroup via api?

Tcp syslog

TMM Clock Advanced by Ticks

LTM 9.4.2+: Custom Syslog Configuration

BIG-IP to Process TLS Syslog Traffic