Forum Discussion

MB_58262's avatar
MB_58262
Icon for Nimbostratus rankNimbostratus
Apr 16, 2012

How to turn off info logger from going to remote syslog server

I configured syslog-ng on the F5 LTM (10.2.1) to send system related log entries and iRule generated logs to a remote server. However, I do see many uneeded log entries that I want to avoid going to the log server - For example "info logger" type of entries - See example below. If you can help shed some light on how to avoid sending such log entries, and better customize syslog-ng to send in only system errors, it would be great -

-- On the F5 LTM, I see the following proccess running ( 2 of them)

logger -p local6.infologger -p local6.info

logger -p local6.infologger -p local6.info

-- Here are the log entries going to remote log server - "info logger" entries 

Apr 16 10:07:59 slot1/ info logger: [ssl_req] [16/Apr/2012:10:07:59 -0700] x.y.z.w SSLv3 RC4-SHA "GET /xui/update/configuration/alert/statusmenu?_=1334595985972 HTTP/1.1" 960

Apr 16 13:06:14 70.151.46.84 Apr 16 10:07:44 slot1/ info logger: [ssl_acc] x.y.z.w - admin [16/Apr/2012:10:07:44 -0700] "GET /xui/update/configuration/alert/statusmenu?_=1334595970774 HTTP/1.1" 200 960

...

--- Here is a snippet of my my syslog-ng config for /var/log/ltm portion -

destination remote_server { 
 udp("x.y.z.w" port (514)); 
};
 
filter f_local0 {
 facility(local0) and level(error); 
 
};
 
filter f_no_audit {
 not match("AUDIT"); 
};
 
destination d_ltm {
 file("/var/log/ltm" create_dirs(yes)); 
};
 
log {
 filter(f_local0); 
 filter(f_no_audit); 
 destination(d_ltm); 
 destination(remote_server); 
};

Thanks - 

application delivery
dev
devops
iRules

3 Replies

Sort By
  • MB_58262's avatar
    MB_58262
    Icon for Nimbostratus rankNimbostratus
    Apr 16, 2012

    Here is more information about the httpd logs - I was able to disable these log entries from being written to the their respective log files via syslog-ng on the F5 LTM (via commenting out the destination log directory in the syslog-ng config file, for example:

     

     

     

    destination (/var/log/httpd/ssl_access_log) ...

     

     

    Entries below are currently still going to the remote syslog server, and I am looking to see if there is a way to disable that if possible.

     

     

    Any help would be really appreciated?

     

     

     

    [root@:/ :Active] httpd pwd /var/log/httpd

     

    [root@:/ :Active] httpd tail -f /var/log/httpd/ssl_access_log

     

    Apr 16 13:51:37 slot1/ info logger: [ssl_acc] x.y.z.w - admin [16/Apr/2012:13:51:37 -0700] "GET /xui/update/configuration/alert/statusmenu?_=1334609406346 HTTP/1.1" 200 960

     

    Apr 16 13:51:42 slot1/ info logger: [ssl_acc] x.y.z.w - admin [16/Apr/2012:13:51:42 -0700] "GET /xui/update/configuration/alert/statusmenu?_=1334609411475 HTTP/1.1" 200 960

     

    Apr 16 13:51:47 slot1/ info logger: [ssl_acc] x.y.z.w - admin [16/Apr/2012:13:51:47 -0700] "GET /xui/update/configuration/alert/statusmenu?_=1334609416575 HTTP/1.1" 200 960

     

     

     

    [root@:/ :Active] httpd tail -f /var/log/httpd/ssl_request_log

     

    Apr 16 13:51:42 slot1/ info logger: [ssl_req][16/Apr/2012:13:51:42 -0700] x.y.z.w SSLv3 RC4-SHA "GET /xui/update/configuration/alert/statusmenu?_=1334609411475 HTTP/1.1" 960

     

    Apr 16 13:51:47 slot1/ info logger: [ssl_req][16/Apr/2012:13:51:47 -0700] x.y.z.w SSLv3 RC4-SHA "GET /xui/update/configuration/alert/statusmenu?_=1334609416575 HTTP/1.1" 960

     

    Apr 16 13:51:52 slot1/ info logger: [ssl_req][16/Apr/2012:13:51:52 -0700] x.y.z.w SSLv3 RC4-SHA "GET /xui/update/configuration/alert/statusmenu?_=1334609421717 HTTP/1.1" 960

     

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 17, 2012

    have you seen this article?  

     

    LTM 9.4.2+: Custom Syslog Configuration by Deb  

    https://devcentral.f5.com/s/articles/LTM-9-4-2-Custom-Syslog-Configuration

     

     

    hope it is helpful.

  • MB_58262's avatar
    MB_58262
    Icon for Nimbostratus rankNimbostratus
    Apr 17, 2012
    -- Thanks for pointing the article, I came across it during my research as well - Here is the configuration I tried - (Note, I narrowed down my log level to warnings and higher)

     

     

    [root@HOSTNAME:/:Active] config b syslog include

     

    SYSLOG - Include Data:

     

    destination remote_server {

     

    udp("x.y.z.w" port (514));

     

    };

     

    local0.* /var/log/ltm

     

    filter f_local0 {

     

    facility(local0) and level(warn..emerg);

     

    };

     

    filter f_no_audit {

     

    not match("AUDIT");

     

    };

     

    destination d_ltm {

     

    file("/var/log/ltm" create_dirs(yes));

     

    };

     

    log {

     

    source(local);

     

    filter(f_local0);

     

    filter(f_no_audit);

     

    destination(d_ltm);

     

    destination(remote_server);

     

    };

     

     

    -- Still seeing "info logger, also I am seeing "crond", "snmpd" entries sent to the remote syslog server.

     

     

    Apr 17 14:01:25 x.y.z.w Apr 17 11:21:10 slot1/HOSTNAME info logger: [ssl_req][17/Apr/2012:11:21:10 -0700] x.y.z.w SSLv3 RC4-SHA "GET /xui/update/configuration/alert/statusmenu?_=1334686775740 HTTP/1.1" 896

     

    ...

     

    Apr 17 14:01:25 x.y.z.w Apr 17 11:20:01 slot1/HOSTNAME info crond[23196]: pam_unix(crond:session): session closed for user syscheck

     

    ...

     

    Apr 17 14:01:25 x.y.z.w Apr 17 11:02:57 slot1/HOSTNAME debug snmpd[3977]: Connection from UDP/IPv6: [::ffff:...]:47201 REFUSED

     

    ...

     

     

    -- I am trying to see if there are any syslog-ng filters which would avoid such entries (above) from going to the remote syslog server. Basically, better optimimization filtering options for syslog-ng. Currently, it is sending a lot of unwanted information via syslog (udp:514) such as log entries above.