Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Syslog off box via TCP and stop writing to disk

We would like to remote syslog off the LTM via TCP for guaranteed delivery and also prevent the messages from writing to disk. In order to get TCP versus UDP we stream the logs through the local syslog-ng process as the remote iRule log command can only do UDP. I have referenced the great "Custom Syslog Configuration" article on how to append custom changes to syslog-ng, which has allowed us to stream syslog messages off the box via TCP. :-)

The problem is that even though we have added configs to send logs off the box, the syslog-ng process is still writing them to disk which is causing a performance degradation. We want to send off the box and also stop from logging locally. When we do custom syslog configs it appears to only add additional configuration but doesn't change any of the existing default configs. Is there anyway to override local0 (or other) to stop writing to /var/log/ltm?

Thanks,
-Dan



0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Dan,

For versions lower than 9.4.2 you can edit the syslog-ng.conf however you want. In 9.4.2+ there is the new CLI interface which limits the options. If you're on a newer version, I'd suggest opening a case with F5 Support and asking them if it's possible or for a workaround. Worst case, hopefully they'll add the functionality in a future release.

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Thanks for the information. Here is my workaround to get any custom syslog-ng configuration. This allowed me to stream logs off the box without writing them to disk.

1) Stop syslog-ng (bigstart stop syslog-ng)
2) Edit /var/run/config/syslog-ng.conf to meet my needs
3) Start syslog-ng (bigstart start syslog-ng)

This worked around the limitations of just appending syslog configs via the F5 method.

Thanks.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
You need to add the exclusion rules to the syslog-ng.conf file on the LTM lines. For example:
filter f_local0 { 
facility(local0) and level(info..emerg) and not match(": Rule ") ;
};

destination d_ltm {
file("/var/log/ltm" create_dirs(yes));
};

log {
source(local);
filter(f_local0);
destination(d_ltm);
};


Note the and not match(": Rule ") is what you need.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Thanks, that works for not writing the iRule logs to disk.

My problem is that to do this makes my syslog-ng configuration not supported by F5. The supported method to edit syslog-ng only allows you to append configurations to the file via the include method. Any advanced config like the you purpose requires a direct edit of the file. So, I guess my question is can this be done and still be supported by F5?

Thanks,
-Dan
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
You should be able to selectively block disk logging by overriding the unwanted disk-file "destination" targets with empty (or TCP-forwarding) versions in your include block.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Please note, if you reboot or change the syslog config with the GUI or bigpipe any changes made to the syslog config will be gone.

joberreu is on to something. If you use the bigpipe syslog include command to include a second destination for an existing destination it will be used (it might be because it is the last one in the config file). For example:

bigpipe syslog include '"destination d_messages { udp(ip(10.10.1.10)); };"'

should cause log messages to go to the IP instead of the original file /var/log/messages.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
You can use the command line to include an entire file of syslog-ng.conf changes, the instructions are here:




http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=155

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I followed the article outlined above. But I am not able to override the default destination of log message. It is always written to disk.  Here is my include file



syslog include "
#weblog filter     Log WebLog to remote server
filter f_weblog {
   facility(local4) and level(debug..emerg) and  match(\"WEBLOG\");
};
destination d_weblog {
 udp(\"192.168.0.68\" port (19999));
 
};              
log {
   source(local);
   filter(f_weblog);
   destination(d_weblog);
};


filter f_no_weblog {
   not match(\"WEBLOG\");
};

# local4.*/var/log/ltm
filter f_local4 {
   facility(local4);
};

log {
   source(s_syslog_pipe);
   filter(f_local4);
   filter(f_no_weblog);
   destination(d_ltm);
};

"

Any help would be greatly appreciated.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
if logging to syslog, you ARE writing to disk. To avoid it, you need to use the log or HSL:: commands in iRules
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
HSL:: command would be excellent option, but it is only available from 10.x version. We are in 9.4.x version.  .I tried remote log in iRule, but only UDP supported, and we need TCP. So trying to  find some workaround. 

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
suprety, that looks about right at first glance. What does your syslog-ng.conf file look like after saving the config?

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Hoolio,
I have attached the syslog-ng.conf and include file.  

Thanks,
0