Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral


Questions and Answers

Loading... Loading...

Hello,
is there a way to change the default syslog facilities?
We have an external syslog server (Not managed by us, of course;-) which only forwards facilty 7 messages to the log files we are authorised to use. Yes, I know, it should be different, but its not a perfect world :-(

I know exactly which log events I'd like to forward to this server, but they have different facilities. I would like to change the facility of these messages to 7 before they are sent to the external server.
I had a look at "b syslog" but this doesn't seem to do the thing for me.
We are running LTM with 9.4.3

Any help appreciated.
Wouter de Bruin

11 Answer(s):

Yes, syslog-ng can be setup to do this. Please reference this tech tip and post back if you have any questions.

https://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=155
Click here
Hi Jason,
Thanks for sharing the link. I'm in the same situation as Wouter here... ASM logs are on local3 facility and I need to send them to a remote syslog server but it has to be at local7.   I've been googling for any solution for quite a while now and finally given up... 


Can you pls highlight exactly where the configuration is? I tried reading your example but can't seem to tell where this is done....

Thank you in advance...

could u pls try this? let us know if it doens't work.

Changing the Facility or Priority of a Syslog Message section
http://www.syslog.org/logged/pot-of-syslog-ng-tricks-version-3/
Thanks Nitass.

I tried follow that but I get the below error...

b syslog include '"
# local3.*                                      /var/log/asm
filter f_local3a {
   facility(local3);
};

destination d_asmtest {
   file("/var/log/custom/asm_log_file"
   template("<190>$DATE $HOST $MSGHDR$MSG\n"; template_escape(no)));
};

log {
   source(local);
   filter(f_local3a);
   destination(d_asmtest);
};
"'
BIGpipe parsing error:
   012e0022:3: The requested value (/var/log/custom/asm_log_file") is invalid (show | (<string> | none)) for 'include' in 'syslog' 


I felt that bigpipe had it's own way of parsing templates, so I reference an existing template field in the original syslog conf file... and this is what I got... it had to declare the template and then bind it with the destination file... I followed the format but didn't help though... I will try out other things, but if you have any idea where I'm wrong here, I would appreciate it.. tnx

note: this is one of our spare units... so the destination file changed a little

b syslog include '"
# local3.*                                      /var/log/asm
filter f_local3a {
   facility(local3);
};

template t_asm {
   template("<190> $DATE $HOST $MSGHDR$MSG\n");
   template_escape(no);
};

destination d_asmtest {
   file("/var/log/lost+found/output/testasmlog" template(t_asm));
};

log {
   source(local);
   filter(f_local3a);
   destination(d_asmtest);
};
"'
BIGpipe parsing error:
   012e0022:3: The requested value (<190> $DATE) is invalid (show | <string> | none) for 'include' in 'syslog'
 
can u put backslash (\) in front ot double quote (")?
Yup, that fixed it. Below is the working config.

b syslog include '"                       # local3.*                                      /var/log/asm
filter f_local3a {
   facility(local3);
};

template t_asm {
   template(\"<190> $DATE $HOST $MSGHDR$MSG\n\");
   template_escape(no);
};

destination d_asmtest {
   file(\"/var/log/lost+found/output/testasmlog\" template(t_asm));
};

destination d_loghost5a {
udp(\"10.2.2.2\" port (514));
};

log {
   source(local);
   filter(f_local3a);
   destination(d_asmtest);
   destination(d_loghost5a);
};
"'
 


But below is the end result of the syslog... as you can see it actually wrote <190> instead of changing the facility. I'll play around with it and get back to you if I fix it...


<190> Jun 14 06:51:51 blah blah blah blah blah 
this is mine.


b syslog include '"
filter f_local3a {
   facility(local3);
};
template t_asm {
   template(\"<190> $DATE $HOST $MSGHDR$MSG\n\");
   template_escape(no);
};
destination d_loghost5a {
udp(\"192.168.206.96\" port (514) template(t_asm));
};
log {
   source(local);
   filter(f_local3a);
   destination(d_loghost5a);
};
"'



71 12:00:21.300602 0.000000 172.28.16.50 192.168.206.96 Syslog LOCAL7.INFO: Jun 14 20:55:18 tulip root: test\n
Appreciate your help Nitass... it's working now... below is my working code....

Note: I removed the $DATE and $HOST entry since it's already part of the MSG header...

b syslog include '"
filter f_local3a {
   facility(local3);
};
template t_asm {
   template(\"<190> $MSGHDR$MSG\n\");
   template_escape(no);
};

destination d_loghost5a {
udp(\"2.2.2.2\" port (514) template(t_asm));
};
log {
   source(local);
   filter(f_local3a);
   destination(d_loghost5a);
};
"' 
thanks for update and glad to hear it works now. :-)
Nice work, guys! I wrote up your solution:

https://devcentral.f5.com/weblogs/jason/archive/2011/06/20/changing-the-big-ip-default-syslog-ng-facilities.aspx Click Here
The equivalent tmsh syntax is modify sys syslog include "filter f_local3a { facility(local3); }; template t_asm { template(\"<190> $DATE $HOST $MSGHDR$MSG\\n\"); template_escape(no); }; destination d_loghost5a { udp(\"2.2.2.2\" port (514) template(t_asm)); }; log { source(local); filter(f_local3a); destination(d_loghost5a); }; " and if you want to log every message into one remote syslog facility I used this CLI modify sys syslog include "template t_asm { template(\"<190> $DATE $HOST $MSGHDR$MSG\\n\"); template_escape(no); }; destination d_loghost5a { udp(\"10.255.0.1\" port (514) template(t_asm)); }; log { source(local); destination(d_loghost5a); }; "

Your answer:

You must be logged in to reply. You can login here.