Filter by:
  • Solution
  • Technology

answers

Can I change default syslog facilities? (9.4.3)

Updated 7/9/2008 • Originally posted on 09-Jul-2008 by Wouter de Bruin 0

Hello,
is there a way to change the default syslog facilities?
We have an external syslog server (Not managed by us, of course;-) which only forwards facilty 7 messages to the log files we are authorised to use. Yes, I know, it should be different, but its not a perfect world :-(

I know exactly which log events I'd like to forward to this server, but they have different facilities. I would like to change the facility of these messages to 7 before they are sent to the external server.
I had a look at "b syslog" but this doesn't seem to do the thing for me.
We are running LTM with 9.4.3

Any help appreciated.
Wouter de Bruin
0
Rate this Question

Answers to this Question

13 Answers:

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 09-Jul-2008 • Originally posted on 09-Jul-2008 by Jason Rahm
Yes, syslog-ng can be setup to do this. Please reference this tech tip and post back if you have any questions.

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=155
Click here
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 13-Jun-2011 • Originally posted on 13-Jun-2011 by geffryti 0
Hi Jason,
Thanks for sharing the link. I'm in the same situation as Wouter here... ASM logs are on local3 facility and I need to send them to a remote syslog server but it has to be at local7.   I've been googling for any solution for quite a while now and finally given up... 


Can you pls highlight exactly where the configuration is? I tried reading your example but can't seem to tell where this is done....

Thank you in advance...

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 13-Jun-2011 • Originally posted on 13-Jun-2011 by nitass 12650
could u pls try this? let us know if it doens't work.

Changing the Facility or Priority of a Syslog Message section
http://www.syslog.org/logged/pot-of-syslog-ng-tricks-version-3/
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 13-Jun-2011 • Originally posted on 13-Jun-2011 by geffryti 0
Thanks Nitass.

I tried follow that but I get the below error...

b syslog include '"
# local3.*                                      /var/log/asm
filter f_local3a {
   facility(local3);
};

destination d_asmtest {
   file("/var/log/custom/asm_log_file"
   template("<190>$DATE $HOST $MSGHDR$MSG\n"; template_escape(no)));
};

log {
   source(local);
   filter(f_local3a);
   destination(d_asmtest);
};
"'
BIGpipe parsing error:
   012e0022:3: The requested value (/var/log/custom/asm_log_file") is invalid (show | (<string> | none)) for 'include' in 'syslog' 


I felt that bigpipe had it's own way of parsing templates, so I reference an existing template field in the original syslog conf file... and this is what I got... it had to declare the template and then bind it with the destination file... I followed the format but didn't help though... I will try out other things, but if you have any idea where I'm wrong here, I would appreciate it.. tnx

note: this is one of our spare units... so the destination file changed a little

b syslog include '"
# local3.*                                      /var/log/asm
filter f_local3a {
   facility(local3);
};

template t_asm {
   template("<190> $DATE $HOST $MSGHDR$MSG\n");
   template_escape(no);
};

destination d_asmtest {
   file("/var/log/lost+found/output/testasmlog" template(t_asm));
};

log {
   source(local);
   filter(f_local3a);
   destination(d_asmtest);
};
"'
BIGpipe parsing error:
   012e0022:3: The requested value (<190> $DATE) is invalid (show | <string> | none) for 'include' in 'syslog'
 
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 13-Jun-2011 • Originally posted on 13-Jun-2011 by nitass 12650
can u put backslash (\) in front ot double quote (")?
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 14-Jun-2011 • Originally posted on 14-Jun-2011 by geffryti 0
Yup, that fixed it. Below is the working config.

b syslog include '"                       # local3.*                                      /var/log/asm
filter f_local3a {
   facility(local3);
};

template t_asm {
   template(\"<190> $DATE $HOST $MSGHDR$MSG\n\");
   template_escape(no);
};

destination d_asmtest {
   file(\"/var/log/lost+found/output/testasmlog\" template(t_asm));
};

destination d_loghost5a {
udp(\"10.2.2.2\" port (514));
};

log {
   source(local);
   filter(f_local3a);
   destination(d_asmtest);
   destination(d_loghost5a);
};
"'
 


But below is the end result of the syslog... as you can see it actually wrote <190> instead of changing the facility. I'll play around with it and get back to you if I fix it...


<190> Jun 14 06:51:51 blah blah blah blah blah 
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 14-Jun-2011 • Originally posted on 14-Jun-2011 by nitass 12650
this is mine.


b syslog include '"
filter f_local3a {
   facility(local3);
};
template t_asm {
   template(\"<190> $DATE $HOST $MSGHDR$MSG\n\");
   template_escape(no);
};
destination d_loghost5a {
udp(\"192.168.206.96\" port (514) template(t_asm));
};
log {
   source(local);
   filter(f_local3a);
   destination(d_loghost5a);
};
"'



71 12:00:21.300602 0.000000 172.28.16.50 192.168.206.96 Syslog LOCAL7.INFO: Jun 14 20:55:18 tulip root: test\n
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 15-Jun-2011 • Originally posted on 15-Jun-2011 by geffryti 0
Appreciate your help Nitass... it's working now... below is my working code....

Note: I removed the $DATE and $HOST entry since it's already part of the MSG header...

b syslog include '"
filter f_local3a {
   facility(local3);
};
template t_asm {
   template(\"<190> $MSGHDR$MSG\n\");
   template_escape(no);
};

destination d_loghost5a {
udp(\"2.2.2.2\" port (514) template(t_asm));
};
log {
   source(local);
   filter(f_local3a);
   destination(d_loghost5a);
};
"' 
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 15-Jun-2011 • Originally posted on 15-Jun-2011 by nitass 12650
thanks for update and glad to hear it works now. :-)
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 20-Jun-2011 • Originally posted on 20-Jun-2011 by Jason Rahm
Nice work, guys! I wrote up your solution:

http://devcentral.f5.com/weblogs/jason/archive/2011/06/20/changing-the-big-ip-default-syslog-ng-facilities.aspx Click Here
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 18-Mar-2013 • Originally posted on 18-Mar-2013 by efftee 0
The equivalent tmsh syntax is modify sys syslog include "filter f_local3a { facility(local3); }; template t_asm { template(\"<190> $DATE $HOST $MSGHDR$MSG\\n\"); template_escape(no); }; destination d_loghost5a { udp(\"2.2.2.2\" port (514) template(t_asm)); }; log { source(local); filter(f_local3a); destination(d_loghost5a); }; " and if you want to log every message into one remote syslog facility I used this CLI modify sys syslog include "template t_asm { template(\"<190> $DATE $HOST $MSGHDR$MSG\\n\"); template_escape(no); }; destination d_loghost5a { udp(\"10.255.0.1\" port (514) template(t_asm)); }; log { source(local); destination(d_loghost5a); }; "
Comments on this Answer
Comment made 2 weeks ago by Hem 171

This command does not work fine.Please help.

0
Edit your comment
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 2 weeks ago • Originally posted on 13-May-2016 by Hem 171

Can some one get me correct tmsh command that can modify log facility to local3 before sendind to syslog server in 12.0.0 HF2.

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 2 weeks ago • Originally posted on 16-May-2016 by Hem 171

Any help on this is greatly appreciated.

We want to send all syslogs from F5 devices to remote syslog server to facility local3.

Syslog server has different facilities. I would like to change the facility of these messages to 3 before f5 syslogs are sent to the syslog server.This will make sure all logs from F5 will go to a single file on syslog server in the name of local3 facility.Easy to manage logs that way on the syslog server.Otherwise logs are all over the place and we have a customized syslog server to write unique device types syslog to unique facility.

Please let me know for any additional information required.

;