Forum Discussion

smp_86112's avatar
smp_86112
Icon for Cirrostratus rankCirrostratus
May 19, 2010

How to write iRule log statements to a custom log file, and rotate the log

I struggled a bit trying to find the answer to this question for v10. Eventually I opened a case and got the answer, so I thought I'd post until it gets incorporated into the doc.

Sometimes I need to log information from iRules to debug something. So I add a simple log statement, like this:


when HTTP_REQUEST {
  if { [HTTP::uri] equals "/secure" } {
    log local0. "[IP::remote_addr] attempted to access /secure"
  }
}

This is fine, but it clutters up the /var/log/ltm log file. Ideally I want to log this information into a separate log file. To do this, I first change the log statement to incorporate a custom string - I chose "":


when HTTP_REQUEST {
  if { [HTTP::uri] equals "/secure" } {
    log local0. "[IP::remote_addr] attempted to access /secure"
  }
}

Now I have to customize syslog to catch this string, and send it somewhere other than /var/log/ltm. I do this by customizing syslog-ng with an include statement:


bigpipe syslog include '"
filter f_local0 {
facility(local0) and not match(\": \");
};
filter f_local0_customlog {
facility(local0) and match(\": \");
};
destination d_customlog {
file(\"/var/log/customlog\" create_dirs(yes));
};
log {
source(local);
filter(f_local0_customlog);
destination(d_customlog);
};
"'

The included "f_local0" filter overrides the built-in "f_local0" syslog-ng filter (since it will be the last one to load) by adding a "not match" statement - this is regex which catches the "" in the iRule log statement I added and prevents it from being written to the /var/log/ltm log. The next filter "f_local0_customlog", also catches the "" in the iRule log statement. But the remaining sections handle the job of sending them to a new destination - a file named "/var/log/customlog".

You may asking yourself why I chose to match the regex ": " instead of just "". It turns out that specifying just "" also catches AUDIT statements every time an iRule with the string "" is updated. But the actual iRule log output contains the string ": ", where the AUDIT statement does not.

So now I have a way to force my iRule logging statements to a custom log file. This is great, but how do I incorporate this custom log file into the log rotation scheme? I had to open a case on this one because I couldn't find the answer in the documentation. The answer is with a simple logrotate include statement:


bigpipe logrotate include '"
/var/log/customlog {
    compress
    missingok
    notifempty
}"'

And that's it. I now have a way to force iRule log statements to a custom log file which is rotated just like every other log file, by appending the iRule log statement with a simple "" string.

There are a couple of things to note:

1. You must save the configuration with "bigpipe save" whenever you execute an include statement. If you don't, your changes will be lost then next time your configuration is loaded. That's why I think this solution is so great - it's visible in the bigip_sys.conf file - not like customizing configuration files directly. And it's portable.

2. I believe you need to restart syslog-ng after you customize it" - this doesn't have any effect on traffic processing though:


bigstart restart syslog-ng

3 Replies