Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Viprion F5 sending logs to Qradar need the slot number removed

when sending the log to qradar it comes up in the format of slot#/hostname

<132>Aug 11 15:27:37 slot1/testf502 warning tmm[11723]: 01260026:4: No shared ciphers between SSL peers 185.181.102.18.56372:192.168.10.156.443.

looking to remove the slot# from the log entry before sending to qradar to allow for better sorting.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I don't think it is possible to remove the slot# from the logs. You can always sort after the log is sent to the server, imo.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Steps to remove "slot1/" from remote syslog.

https://support.f5.com/csp/article/K13333


1) tmsh modify /sys syslog remote-servers none

2) tmsh edit /sys syslog all-properties

3) Find the line "include none" and replace "none" with below include statement (press "i" for insert mode):

include "

options {

keep_hostname(no);

};

filter f_remote_loghost {

level(warn..emerg);

};

destination d_remote_loghost {

tcp(\"IP_SERVER_1\" port(514));

udp(\"IP_SERVER_2\" port(514));

};

log {

source(s_syslog_pipe);

filter(f_remote_loghost);

destination(d_remote_loghost);

};

"

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I was able to remove the "slot1/" hostname prefix in syslog messages sent to a remote server using the below configuration on TMOS 12.1.2 HF1 (it likely works elsewhere, I just haven't tested). A few notes:

  • The result of this is that logs from the Primary slot are sent from the Cluster IP Address and logs from any Secondary slots are sent from the respective slot's assigned IP address. I did not test what happens if the slot (blade) is not assigned an IP.
  • It appears that any sys syslog remote-servers configuration is ignored when the above sys syslog include configuration is in place.
  • This configuration will be synced to any HA peers.
  • I tested an upgrade from 12.1.2 HF1 to 13.0.0 HF2 and the configuration was kept intact and was fully functional post-upgrade.
  • Someday if F5 changes how they do syslog or changes the version of syslog in use this may break.

Formatted Configuration:

sys syslog {
    remote-servers none
    include "
    template t_no_slot_tmpl {
        # These are original template values (aside from escaped quotes)
        # from t_commontmpl in /etc/syslog-ng/syslog-ng.conf on slot1 and
        # slot2 of a VIPRION chassis (same on vCMP guests).
        #template(\"<$PRI> $STAMP slot1/$HOST $PRIORITY $MSG\\n\");
        #template(\"<$PRI> $STAMP slot2/$HOST $PRIORITY $MSG\\n\");

        # This is the modified template value to remove slot reference.
        # For multi-slot hosts and guests you will lose visiblity of
        # which tmos instance (slot) is producing the log message.
        template(\"<$PRI> $STAMP $HOST $PRIORITY $MSG\\n\");
        template_escape(no);
    };

    destination d_no_slot_loghost {
        udp(\"10.10.10.1\" port(514) template(t_no_slot_tmpl));
        #udp(\"10.10.10.2\" port(514) template(t_no_slot_tmpl));
    };

    log {
        source(local);
        destination(d_no_slot_loghost);
    };
    "
}
`</pre>

Note that if you are going to paste the text in via `edit sys syslog` you will want to remove all leading spaces/tabs. The tmsh (tm shell) formats the pasted text on the fly and expands the space in a cascase if leading spaces exist. Also, optionally you can use single quotes around the `include` text (as seen below) to eliminate the need to manually escape every double quote and backslash. The tmsh automatically does the escaping when you exit `edit sys syslog` and save the configuration (so it will look like what I pasted above). For example:

<pre>`include '
template t_no_slot_tmpl {
# This is the original template t_commontmpl value from /etc/syslog-ng/syslog-ng.conf
#template("<$PRI> $STAMP slot1/$HOST $PRIORITY $MSG\n");

# This is the modified template value to remove slot reference.
# For multi-slot hosts and guests you will lose visiblity of
# which tmos instance (slot) is producing the log message.
template("<$PRI> $STAMP $HOST $PRIORITY $MSG\n");
template_escape(no);
};
destination d_no_slot_loghost {
# For each specific network destination use the custom template
udp("10.10.10.1" port(514) template(t_no_slot_tmpl));
#udp("10.10.10.2" port(514) template(t_no_slot_tmpl));
};
log {
# Using the raw local source (untested whether GUI log settings affect this)
source(local);
# Sending the logs to the destinations listed
destination(d_no_slot_loghost);
};
'
0