Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

setting up syslog?

i've looked through the docs for info on logging to a remote syslog server via udp, everything i've tried results in the same error - anyone have any ideas?
# b syslog remote server x.x.x.x        
BIGpipe parsing error:
012e0022:3: The requested value (x.x.x.x) is invalid (show | <remote server list> | none) [add | delete]) for 'remote server' in 'syslog'

# b syslog remote server x.x.x.x remote port 514    
BIGpipe parsing error:
012e0022:3: The requested value (x.x.x.x remote) is invalid (show | <remote server list> | none) [add | delete]) for 'remote server' in 'syslog'

using v10:
# uname -a   
Linux blahblah.com 2.4.21-10.0.1.283.0smp #2 SMP Tue May 12 18:23:09 PDT 2009 i686 i686 i386 GNU/Linux
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
This appears to work for me:
 
[root@bigip1:Active:avc(0)] config # b syslog remote server 'foo' host 10.20.20.1 add

[root@bigip1:Active:avc(0)] config # b syslog remote server show
SYSLOG - Remote Server:
+-> REMOTE SERVER foo
[root@bigip1:Active:avc(0)] config # b syslog remote server list
syslog {
remote server foo {
host 10.20.20.1
}
}

-Matt
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
ah ha - much better, thanks a lot.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
bumping - just got around to working on this again. logging works fine but my issue is my big-ip sends the syslog message with a hostname of "local" which doesn't really help a lot for reporting and searching.. any ideas on how to change that?

+---------+-------+----------+----------+--------+-------------+------------+----------+---------------------------+
| id      | host  | facility | priority | level  | program     | date       | time     | message                   |
+---------+-------+----------+----------+--------+-------------+------------+----------+---------------------------+
| 6277214 | local | user     | notice   | notice | notice root | 2010-04-20 | 11:11:03 | notice root: test message | 
+---------+-------+----------+----------+--------+-------------+------------+----------+---------------------------+
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Nik,

Check this post for a few options. If you get stuck let us know. Else, if you figure out a solution that works for you, please reply here or in the other post for future reference.

tmm entries for syslog
http://devcentral.f5.com/Default.aspx?tabid=53&aft=30779

Thanks,
Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
i was under the impression that in v10 you needed to use the `b syslog` command instead of editing the file since it will be overwritten upon bigpipe config reload.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Nik,

The idea is that you can either modify the /etc/hosts configuration on TMM so that TMM uses the hostname you'd like or modify the syslog-ng configuration to have syslog-ng insert the host string that you'd like. Either change should be possible to do using the bpsh option described in the article linked in the other post. If you opt for modifying the hosts file entry option, and you cannot use a bigpipe command to make the change you'd need to edit the /etc/hosts file directly and potentially redo that change after upgrades.

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
i'm going to double-check with f5 support for a more "official" solution but what you linked is probably the best for now.  i'll comment again once i have something working.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I developed the procedure that I use for this from the following Solutions (I used this on v9.4.x, I do not know if it would need to be altered for 10.1.x since I haven't had to modify that version yet):

(SOL5527: Configuring BIG-IP to log to a remote syslog server)
(SOL8260: Configuring syslog settings using the bigpipe command)


1. Create and save a file containing the desired changes which are as follows, the file should be created in the following location /etc/syslog-ng :

syslog include "
# Direct all log information to remote syslog server
destination remote_server {
udp(\"Remote.Server.IP.Address\" port (514));
udp(\"10.10.10.10\" port (514));
};
filter f_alllogs {
level (debug...emerg);
};
log {source(local);
filter(f_alllogs);
destination(remote_server);
};”

NOTE: If you have implemented Administrative Domains and Partitions the Partition Selection should be the first line:

shell write partition Common
syslog include "
# Direct all log information to remote syslog server
destination remote_server {
udp(\"Remote.Server.IP.Address\" port (514));
udp(\"10.10.10.10\" port (514));
};
filter f_alllogs {
level (debug...emerg);
};
log {source(local);
filter(f_alllogs);
destination(remote_server);
};”

2. At the Load Balancer command line, direct the include file to the bigpipe shell (bpsh):

bpsh < syslog.inc

3. Verify your "include" statement has been included in the running configuration by running the following command:

b syslog include

The output should reflect the contents of the file you directed to bpsh.

NOTE: If Error "No syslogs were found" is encountered you can verify the implemention has actually occured by looking into the syslog-ng.conf file for the implementation (search on udp and step through the config file).

4. Test your configuration before saving. To roll back changes, you can just reload the permanent configuration:

bigpipe load

5. Once you've confirmed the changes, save your changes to the permament configuration:

bigpipe save
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I am trying to set this up. I have to send all the logs to a remote syslog server. Some how this is not working. Can some one paste it as an example like it shows up in the manuals please
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Try this...

b syslog include '"destination remote_server { udp(\"xxx.xx.xx.xxx\" port (514));
udp(\"xxx.xx.xx.xxx\" port (514));
};

log { source(local); filter(f_local0); destination(remote_server); };"'
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Is there a way we can include the Management IP instead of the hostname on the sys-log?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Is there a way we can include the Management IP instead of the hostname on the sys-log?

is template customization similar to this useful?

sol15284: Removing the 'local/' string from the host name portion of the syslog message sent to your remote syslog server
http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15284.html

and this thread is about how to exclude syslog configuration from configsync.

Syslog & Source IP on cluster (Felkor's message)
https://devcentral.f5.com/questions/syslog-source-ip-on-cluster

0