Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Customizing syslog-ng f_local0 filter

This is for v10.1.0.

I have developed an iRule that provides us with some useful troubleshooting information by sending useful events to a custom log file. Syslog-ng was set up to capture these events based on a custom syslog-ng filter I added using the "b syslog include" statement which looks for a custom string pattern. This all works fine and good. The issue I've got is that because of the default f_local0 filter, these log messages are also being sent to the /var/log/ltm file. I want to isolate these logging events to my custom log file by adding an exclusion statement in the f_local0 filter. However the top of the syslog-ng.conf file warns against editing the file directly, and the bigpipe syslog command doesn't seem to provide any way to customize built-in filters. Is there another way to customize the default syslog-ng filters using the bigpipe syslog command?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi SMP,

You should be able to redefine the default d_ltm filter using the steps outline in Deb's article:

LTM 9.4.2+: Custom Syslog Configuration
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=155

See the section titled: Modifying the default logging

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Hoolio,

Thanks for the reference. The document doesn't explicitly state how this works. It sort of implies that it works because the include statement is the last statement to load - much like apache's config file. Is that what I'm supposed to assume?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
That's what I got from the article as well. If I remember correctly... If you try to define an object which already exists in the default syslog-ng config using an include file, it just redefines the object (and does not modify the previously defined object).

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

"...and overrides the default object definitions, since the include statement is the last one to load." That's a critical piece that's missing in the doc, in my opinion. My testing today confirmed my suspicion - the "bigpipe syslog include" command overrides everything else. Here's the syslog-ng customization I developed to send a subset of log entries to a custom log file. In my logging iRule, I simply need to add a "##" custom string to the log output. I chose to match the string ": ##" instead of just "##" in the f_local0 filter because it was capturing AUDIT logging events in the /var/log/customlog every time I modified the iRule.

Logging iRule Definition


when CLIENT_ACCEPTED {
    log local0. "this goes to /var/log/ltm"
    log local0. "##this goes to /var/log/customlog"
}

Syslog-ng Include
Note that including the definition for filter "f_local0" overrides the built-in definition because the include definition is the last one to load:

b syslog include '"
    filter f_local0 {
        facility(local0) and not match(\": ##\");
    };

    filter f_local0_customlog {
        facility(local0) and match(\": ##\");
    };

    destination d_customlog {
        file(\"/var/log/customlog\" create_dirs(yes));
    };

    log {
        source(local); filter(f_local0_customlog); destination(d_customlog);
    };
"'
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
That's a novel approach with the two hashes for differentiating the custom iRule logging from standard logging.

Aaron
0