F5 LTM 11.3.0(3144) - Syslog remote server problems

Question

Hi all, this problem I'm having is doing my head in!
I only want to receive 'crit' to 'emerg' alerts for the cron syslog alert type, yet I am still seeing 'Info' on my remote syslog server!
For the record I have followed these 3 articles:
http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13080.html
http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13317.html
http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13333.html  
Here's my config:  
[root@myf5:Active:Standalone] config  tmsh list /sys syslog all-properties
sys syslog {
    auth-priv-from notice
    auth-priv-to emerg
    console-log enabled
    cron-from crit
    cron-to emerg
    daemon-from warning
    daemon-to emerg
    description none
    include none
    iso-date disabled
    kern-from warning
    kern-to emerg
    local6-from crit
    local6-to emerg
    mail-from err
    mail-to emerg
    messages-from err
    messages-to crit
    remote-servers {
    zenoss {
        description none
        host 10.140.31.6
        local-ip 192.168.1.2
        remote-port 514
    }
    }
    user-log-from crit
    user-log-to emerg
    }

This all looks perfect to me, so I don't understand why I'm seeing these Informational cron alerts. An example alert still coming through is:  
(syscheck) CMD (/usr/bin/system_check -q)

What am I doing wrong? Any help would be hugely appreciated as it's so frustrating.
Thanks

nitass · Answer

I only want to receive 'crit' to 'emerg' alerts for the cron syslog alert type, yet I am still seeing 'Info' on my remote syslog server!&nbsp;

i remember the level configuration is applied to local log file only. for remote syslog, you have to filter using syslog include.&nbsp;

nitass_89166 · Answer

I only want to receive 'crit' to 'emerg' alerts for the cron syslog alert type, yet I am still seeing 'Info' on my remote syslog server!&nbsp;

i remember the level configuration is applied to local log file only. for remote syslog, you have to filter using syslog include.&nbsp;

mark_35110 · Answer

Thanks, I did have everything via a 'syslog include' but saw no option to bind the alerts to an IP address of my choice. That's why I moved to the remote-servers part of syslog config. If you can let me know how to bind to a local-ip via the include statement then I will be forever in your debt :)

mark_35110 · Answer

Thanks, I did have everything via a 'syslog include' but saw no option to bind the alerts to an IP address of my choice. That's why I moved to the remote-servers part of syslog config. If you can let me know how to bind to a local-ip via the include statement then I will be forever in your debt :)

nitass · Answer

can you try something like this?
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog include
sys syslog {
    include "
filter f_remote_loghost {
  level(crit..emerg);
};
destination d_loghost {
  udp(\"172.28.24.1\" port(514) localip(172.28.24.11));
};
log {
  source(s_syslog_pipe);
  filter(f_remote_loghost);
  destination(d_loghost);
};
"
}

Forum Discussion

F5 LTM 11.3.0(3144) - Syslog remote server problems

10 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Tcp syslog

LTM 9.4.2+: Custom Syslog Configuration

BIG-IP to Process TLS Syslog Traffic

remote SYSlog setup

Source_Addr Persistence Problems