Forum Discussion

adam_rothschild's avatar
adam_rothschild
Icon for Nimbostratus rankNimbostratus
Oct 20, 2015

irule to send to syslog and not write to log file

I would like an irule that sends to a syslog server rather than write the log to any logfile locally. So far I can get my log in /var/log/ltm and the syslog server that the box has set as the remote logging server. But I cannot get it to just send to the server listed in the irule and not appear in the local log. I left just the IP of the log server and removed local0. I dont get anything in either place after that. Any Suggestions?

 

when SERVER_CONNECTED {

 

set snat [IP::local_addr]

 

log 10.X.X.X local0. "[IP::client_addr], [IP::local_addr], [IP::server_addr]"

 

}

 

when SERVER_CLOSED {

 

set snat [IP::local_addr]

 

log 10.X.X.X local0. "[IP::local_addr], [IP::server_addr]"

 

}

 

15 Replies

  • Don't write to the local

    log
    with the log command. Use HSL, https://devcentral.f5.com/wiki/iRules.HSL.ashx

    when SERVER_CONNECTED {
        set hsl [HSL::open -proto UDP -pool ]
        HSL::send $hsl "[IP::client_addr], [IP::local_addr], [IP::server_addr]"
    }
    when SERVER_CLOSED {
        HSL::send $hsl "[IP::local_addr], [IP::server_addr]"
    }
    
    • adam_rothschild's avatar
      adam_rothschild
      Icon for Nimbostratus rankNimbostratus
      Is there any dependency for the syslog server set in the pool above to accept HSL? Reason I ask is that I see my irule taking hits in statistics, but never see the log in syslog.
    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Your syslog pool should contain a syslog server that is setup to receive syslogs on the configured port with the proto in HSL::open(UDP or TCP). Also, TMM needs to have a route or L2 access to that syslog server.
    • adam_rothschild's avatar
      adam_rothschild
      Icon for Nimbostratus rankNimbostratus
      Ok, i have a mgmt route and i see the connection. It doesnt feel correct being that the soruorce (10.32.92.6) is a self IP of the device and not sure about the any6.any. Maybe I'm not correct about that. any6.any any6.any 10.32.92.6:39519 10.17.56.14:514 udp 11 (slot/tmm: 1/1) none sys management-route 10.17.56.14/32 { gateway 10.32.92.1 network 10.17.56.14/32 }
    • adam_rothschild's avatar
      adam_rothschild
      Icon for Nimbostratus rankNimbostratus
      Is there any dependency for the syslog server set in the pool above to accept HSL? Reason I ask is that I see my irule taking hits in statistics, but never see the log in syslog.
    • Brad_Parker_139's avatar
      Brad_Parker_139
      Icon for Nacreous rankNacreous
      Your syslog pool should contain a syslog server that is setup to receive syslogs on the configured port with the proto in HSL::open(UDP or TCP). Also, TMM needs to have a route or L2 access to that syslog server.
    • adam_rothschild's avatar
      adam_rothschild
      Icon for Nimbostratus rankNimbostratus
      Ok, i have a mgmt route and i see the connection. It doesnt feel correct being that the soruorce (10.32.92.6) is a self IP of the device and not sure about the any6.any. Maybe I'm not correct about that. any6.any any6.any 10.32.92.6:39519 10.17.56.14:514 udp 11 (slot/tmm: 1/1) none sys management-route 10.17.56.14/32 { gateway 10.32.92.1 network 10.17.56.14/32 }
  • Hi guys,

     

    I have a limit connection in pools. I need send a log when the maximum connection limit reached.