Audit logging

That looks like audit logging from the admin GUI's httpd. You could create a filter on syslog-ng to not send the audit logs remotely. For 9.4.2 or higher, you can check this article and recent post for details:

 

 

Customizing syslog-ng f_local0 filter

 

http://devcentral.f5.com/tabid/1082223/aff/32/afv/topic/aft/1172264/afc/1172992/Default.aspx

 

 

Custom Syslog Config

 

http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/155/LTM-942-Custom-Syslog-Configuration.aspx

 

 

Aaron

I was just about to post almost exactly the same message when I came across your post. In my case, I have a customized /etc/alertd/alert.conf to send me email notifications. And when I upgraded to v10, I suddenly started getting these notifications which I wasn't expecting. There is something more happening with alertd that I'd like to understand better.

 

 

As I dug into this, I confirmed (by commenting and uncommenting) the statement that is catching the event (and generating emails in my case) in "/etc/alertd/alert.conf" is this:

 

 

alert BIGIP_LOG_EMERG "^[0-9]{8}:0: (.*)" {

 

 

And I guess this makes based only on the regex, since the event starts with the string "01070417:0". But if you look for the error code "01070417" in /var/run/bigip_error_maps.dat, you'll see this:

 

0 LOG_NOTICE 01070417 BIGIP_MCPD_MCPDERR_AUDIT "AUDIT - user %s - transaction %u-%u - object %u - %s"

 

So /etc/alertd/alert.conf considers the alert EMER status, while /var/run/bigip_error_maps.dat considers it NOTICE. That is a disconnect that I just can't wrap my head around.

 

We have been able to filter the message on the syslog, but is quite annoying to have this message appearing in the GUI log... Any idea to avoid this message from appear on the GUI log?

 

I'm getting similar messages as the one listed above. Is there a way to only send the following messages to a single syslog server?

 

 

/var/log/messages

 

/var/log/audit

 

/var/log/ltm

 

 

I followed the instructions in the article link above; however it didn't do a very good job of explaining what the filters are doing :(

 

 

Hi Jeff,

I think this should work, but I'd test it on a test unit first.

Add this to a temp file named syslog.inc

syslog include "
destination d_messages {
   file("/var/log/messages" create_dirs(yes));
   udp(\"10.0.0.1\" port (514));
};
destination d_audit {
   file("/var/log/audit" create_dirs(yes));
   program("/usr/bin/audit_forwarder");
   udp(\"10.0.0.1\" port (514));
};
destination d_ltm {
   file("/var/log/ltm" create_dirs(yes));
   udp(\"10.0.0.1\" port (514));
};"

Then load it into memory:

bpsh < syslog.inc

Test to verify the configuration is working.

If it does, then run:

b save all

If it does not, run:

b syslog include none

b save all

Aaron

Aaron, I recieved several errors. I'm doing my best to review as to why. See if the example below is correct. I made these adjustments based on examples I see in syslog-ng.conf as well as what is provided above.

[root@LAB-Practice-LB2:Active] config bpsh < syslog.inc

BIGpipe parsing error:

012e0022:3: The requested value (/var/log/messages" create_dirs(yes));) is invalid (show | ( | none)) for 'include' in 'syslog'

BIGpipe parsing error:

012e0008:3: The requested command (udp(\"10.1.32.34\" port (514));) is invalid

BIGpipe parsing error:

012e0008:3: The requested command (} üòâ is invalid

BIGpipe parsing error:

012e0008:3: The requested command (destination d_audit {) is invalid

BIGpipe parsing error:

012e0008:3: The requested command (file("/var/log/audit" create_dirs(yes));) is invalid

BIGpipe parsing error:

012e0008:3: The requested command (program("/usr/bin/audit_forwarder");) is invalid

BIGpipe parsing error:

012e0008:3: The requested command (udp(\"10.1.32.34\" port (514));) is invalid

BIGpipe parsing error:

012e0008:3: The requested command (} üòâ is invalid

BIGpipe parsing error:

012e0008:3: The requested command (destination d_ltm {) is invalid

BIGpipe parsing error:

012e0008:3: The requested command (file("/var/log/ltm" create_dirs(yes));) is invalid

BIGpipe parsing error:

012e0008:3: The requested command (udp(\"10.1.32.34\" port (514));) is invalid

BIGpipe parsing error:

012e0008:3: The requested command (} ;") is invalid

=======================================================

syslog include " destination d_messages { file(\"/var/log/messages\" create_dirs(yes)); udp(\"10.1.32.34\" port (514)); }; destination d_audit { file(\"/var/log/audit\" create_dirs(yes)); program(\"/usr/bin/audit_forwarder\"); udp(\"10.1.32.34\" port (514)); }; destination d_ltm { file(\"/var/log/ltm\" create_dirs(yes)); udp(\"10.1.32.34\" port (514)); };" 

I loaded the syslog.inc above without errors. With that said this is what i have configured so far -

 [root@LAB-Practice-LB2:Active] config  b syslog include SYSLOG - Include Data: destination d_messages { file("/var/log/messages" create_dirs(yes)); udp("10.1.32.34" port (514)); }; destination d_audit { file("/var/log/audit" create_dirs(yes)); program("/usr/bin/audit_forwarder"); udp("10.1.32.34" port (514)); }; destination d_ltm { file("/var/log/ltm" create_dirs(yes)); udp("10.1.32.34" port (514)); };

When I checked my syslog server I'm still seeing messages as follows

5/25/11

12:21:25.000 PM May 25 12:21:25 10.1.29.55 May 25 12:21:25 LAB-Practice-LB2 logger: [ssl_req][25/May/2011:12:21:25 -0400] 10.1.29.54 TLSv1 DHE-RSA-AES256-SHA "POST /iControl/iControlPortal.cgi HTTP/1.1" 437

host=10.1.29.55 LAB - NDC-PBN-TLP-LB2 Options| sourcetype=syslog Options| source=Syslogs Options

They appear to be coming from the following:

[root@LAB-Practice-LB2:Active] httpd pwd

/var/log/httpd

[root@LAB-Practice-LB2:Active] httpd ls -lrt

total 1712

-rw-r--r-- 1 root root 0 Jul 7 2005 access_log

-rw-r--r-- 1 root root 724 May 25 11:02 httpd_errors

-rw-r--r-- 1 root root 505968 May 25 12:28 ssl_request_log

-rw-r--r-- 1 root root 469392 May 25 12:28 ssl_access_log

Also I see messages from crond:

12:34:01.000 PM May 25 12:34:01 10.1.29.55 May 25 12:34:01 LAB-Practice-LB2 crond[8984]: (syscheck) CMD (/usr/bin/system_check -q)

host=10.1.29.55 LAB - NDC-PBN-TLP-LB2 Options| sourcetype=syslog Options| source=Syslogs Options

Would it be better to filter all and then allow the ones you've provided. I'm very new to the syslogging so thank you in advance for your patience. I do appreciate your time and insight.

Which version are you testing this on?

 

 

Thanks, Aaron

I was out of pocket with the holiday weekend. I'm working with 9.4.8 HF2

I tried this solution ( http://support.f5.com/kb/en-us/solutions/public/9000/400/sol9442.html) provided by F5 for filtering the Config Sync Detect events.

 

5/25/11

 

12:21:25.000 PM May 25 12:21:25 10.1.29.55 May 25 12:21:25 LAB-Practice-LB2 logger: [ssl_req][25/May/2011:12:21:25 -0400] 10.1.29.54 TLSv1 DHE-RSA-AES256-SHA "POST /iControl/iControlPortal.cgi HTTP/1.1" 437

 

host=10.1.29.55 LAB - NDC-PBN-TLP-LB2 Options| sourcetype=syslog Options| source=Syslogs Options

 

 

 

The problem with this solution is when you sync the configuration it overwrites the peer address being filtered.