Customizing syslog-ng f_local0 filter

Question

This is for v10.1.0.&nbsp;
&nbsp;I have developed an iRule that provides us with some useful troubleshooting information by sending useful events to a custom log file. Syslog-ng was set up to capture these events based on a custom syslog-ng filter I added using the "b syslog include" statement which looks for a custom string pattern. This all works fine and good. The issue I've got is that because of the default f_local0 filter, these log messages are also being sent to the /var/log/ltm file. I want to isolate these logging events to my custom log file by adding an exclusion statement in the f_local0 filter. However the top of the syslog-ng.conf file warns against editing the file directly, and the bigpipe syslog command doesn't seem to provide any way to customize built-in filters. Is there another way to customize the default syslog-ng filters using the bigpipe syslog command?&nbsp;&nbsp;&nbsp;

hooleylist · Answer

Hi SMP, 
&nbsp;  
&nbsp; You should be able to redefine the default d_ltm filter using the steps outline in Deb's article: 
&nbsp;  
&nbsp; LTM 9.4.2+: Custom Syslog Configuration 
&nbsp; http://devcentral.f5.com/Default.aspx?tabid=63&amp;articleType=ArticleView&amp;articleId=155 
&nbsp;  
&nbsp; See the section titled: Modifying the default logging 
&nbsp;  
&nbsp; Aaron

smp_86112 · Answer

Hi Hoolio, 
&nbsp;  
&nbsp; Thanks for the reference. The document doesn't explicitly state how this works. It sort of implies that it works because the include statement is the last statement to load - much like apache's config file. Is that what I'm supposed to assume?

hooleylist · Answer

That's what I got from the article as well.  If I remember correctly... If you try to define an object which already exists in the default syslog-ng config using an include file, it just redefines the object (and does not modify the previously defined object). 
&nbsp;  
&nbsp; Aaron

smp_86112 · Answer

"...and overrides the default object definitions, since the include statement is the last one to load." That's a critical piece that's missing in the doc, in my opinion. My testing today confirmed my suspicion - the "bigpipe syslog include" command overrides everything else. Here's the syslog-ng customization I developed to send a subset of log entries to a custom log file. In my logging iRule, I simply need to add a "" custom string to the log output. I chose to match the string ": " instead of just "" in the f_local0 filter because it was capturing AUDIT logging events in the /var/log/customlog every time I modified the iRule.Logging iRule Definition
when CLIENT_ACCEPTED {
    log local0. "this goes to /var/log/ltm"
    log local0. "this goes to /var/log/customlog"
}Syslog-ng Include&nbsp;Note that including the definition for filter "f_local0" overrides the built-in definition because the include definition is the last one to load:
b syslog include '"
    filter f_local0 {
        facility(local0) and not match(\": \");
    };
    filter f_local0_customlog {
        facility(local0) and match(\": \");
    };
    destination d_customlog {
        file(\"/var/log/customlog\" create_dirs(yes));
    };
    log {
        source(local); filter(f_local0_customlog); destination(d_customlog);
    };
"'

hooleylist · Answer

That's a novel approach with the two hashes for differentiating the custom iRule logging from standard logging. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Customizing syslog-ng f_local0 filter

5 Replies

Recent Discussions

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

Syslog NG Email Configuration

Could you recommend the syslog-ng guide in the above situation?

Configuring syslog-ng to email messages

F5 Distributed Cloud - Customer Edge Site - Deployment & Routing Options

custom response page for api