Forum Discussion

asiosio_165682's avatar
asiosio_165682
Icon for Nimbostratus rankNimbostratus
Aug 12, 2014

Big-IP Syslog duplicate date

Hello,

I have a F5 Big-IP 6800 in with the "BIG-IP 10.2.4 Build 817.0 Hotfix HF7" version. I have recently enabled syslog logging (see the following config):

sys syslog {
    remote-servers {
        LoggingServer {
            host x.x.x.x
        }
    }
}

I encounter the following issue: The datetime is "double tampered" on the logs lines.

For exemple I get the following:

Jul 25 15:32:57 10.150.154.250 Jul 25 14:04:01 local/itool-f5-6800-3 debug crond[32179]: pam_bigip_authz: pam_sm_acct_mgmt returning status ERR
Jul 25 15:32:57 10.150.154.250 Jul 25 14:04:01 local/itool-f5-6800-3 warning crond[32179]: Deprecated pam_stack module called from service "crond"

You can see than the datetime is duplicate..

Is there a way to manage this issue ?

Thanks,

Asiosio

4 Replies

  • You can see than the datetime is duplicate..

     

    would it be possible that the first date is from syslog server itself (its configuration)?

     

    • mimlo_61970's avatar
      mimlo_61970
      Icon for Cumulonimbus rankCumulonimbus
      Agreed, the first one is probably the syslog server, the second one from the F5. You can probably configure the syslog server to log one or the other, but this is a perfect example of why logging both is good. Your times are not the same. Which one is right? If you only logged one, and it was the wrong one, that would make aligning events very difficult.
  • You can see than the datetime is duplicate..

     

    would it be possible that the first date is from syslog server itself (its configuration)?

     

    • mimlo_61970's avatar
      mimlo_61970
      Icon for Cumulonimbus rankCumulonimbus
      Agreed, the first one is probably the syslog server, the second one from the F5. You can probably configure the syslog server to log one or the other, but this is a perfect example of why logging both is good. Your times are not the same. Which one is right? If you only logged one, and it was the wrong one, that would make aligning events very difficult.