Forum Discussion

JTucker_137331's avatar
JTucker_137331
Icon for Nimbostratus rankNimbostratus
Jun 12, 2014

Logging Specific Message to Syslog Server LTM 11.4.1

Hi,

I have followed the steps from here:

http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13333.html

but I don't seem to be getting any output to the syslog server.

modify syslog {
auth-priv-from notice
auth-priv-to emerg
console-log enabled
cron-from warning
cron-to emerg
daemon-from notice
daemon-to emerg
description none
include "
filter f_remote_loghost {
    level(warn..emerg);
};
destination d_remote_loghost {
    udp(\"172.22.0.90\" port(514));
};
log {
    source(s_syslog_pipe);
    filter(f_remote_loghost);
    destination(d_remote_loghost);
};
"
iso-date disabled
kern-from notice
kern-to emerg
local6-from notice
local6-to emerg
mail-from notice
mail-to emerg
messages-from notice
messages-to warning
remote-servers none
user-log-from notice
user-log-to emerg }

Which looks fine as per the article - tcpdump on the ether0 interface shows no traffic either (even when set to higher logging levels.) I've also noticed that the GUI doesn't seem to reflect this change, is that right too?

Any pointers would be appreciated!

James

application delivery
LTM
management
performance
TMSH

1 Reply

Sort By
  • sludge3000_1315's avatar
    sludge3000_1315
    Icon for Nimbostratus rankNimbostratus
    Jun 16, 2014

    Hello,

     

    I had to raise a ticket with F5 a couple of weeks ago as we were configuring this for the first time and I also had problems configuring this.

     

    The GUI configuration options only apply to the local logging levels, so changes you make at the CLI for the remote logging filter will not be replicated in the GUI.

     

    As per SOL13333, remember to enter the following command: modify /sys syslog remote-servers none

     

    This clears the existing remote-servers configuration. I would recommend testing with the "info" logging level to ensure the remote syslog is working before filtering. I implemented this with "notice" and ended up raising another ticket with F5 when no logs were being sent, only to then find that the "notice" level messages don't fire very often. I quickly closed the F5 support ticket and apologized for my impatience. With a filter of warning to emergency, there will be very few messages generated.

     

    We're still tuning our monitoring system at the moment but I can confirm that if a pool has no available members, this should generate an error level alert. Obviously not easy to replicate in a production environment but if you have a test VS, you could generate an alert by turning off the nodes behind it.

     

    I would also recommend using the following tcpdump, unless that server is used for other purposes as well: tcpdump dst host 172.22.0.90

     

    I hope this helps, Luke