Forum Discussion

ghost-rider_124's avatar
ghost-rider_124
Icon for Nimbostratus rankNimbostratus
Dec 22, 2014

LTM logs to external syslog (Splunk)

Hello Experts

 

I want to send LTM logs to syslog server. When I configure syslog server then by default what logs of LTM will be send to syslog? I want below, should I need to write an IRULE for this:

 

1- Each client IP and going to which pool member (which server was selected) 2- No of transactions per Virtual Server 3- Pool member health status 4- Virtual Server health status

 

Appreciated reply

 

16 Replies

  • You're looking for connection logging. There's a couple of very good articles out there about using High Speed Logging.

     

    Here's a couple of other dev central resources for you.

     

    https://devcentral.f5.com/wiki/irules.HSL.ashx https://devcentral.f5.com/questions/logging-client-connections-to-syslog

     

    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Thanks for the reply. What about LTM other logs like pool member up/down etc? I will come without HSL. Because I am not able to see any such logs
    • shaggy's avatar
      shaggy
      Icon for Nimbostratus rankNimbostratus
      pool member up/down (and everything else in /var/log/ltm) will be sent to a remote syslog server if a remote server is configured. connection information should be gathered via irule or logging profile and sent to a remote server using HSL
    • James_124570's avatar
      James_124570
      Icon for Nimbostratus rankNimbostratus
      Is it really a good idea to attach an iRule to that scans every packet to a production virtual server? There has to be a better. Just my thoughts.
  • 1- Each client IP and going to which pool member (which server was selected)

    - High Speed Logging. See the links above.
    

    2- No of transactions per Virtual Server

    - can be extrapolated from the connection logging information. Usually done on a reporting server. However, you can get this information directly from the box by looking at Virtual Server Statistics. 
    

    3- Pool member health status

    - This is found in /var/log/ltm. If you configure syslog like Shaggy mentioned, you're all set.
    

    4- Virtual Server health status

    - See "3" from above.
    
  • Thanks a lot. So If I configure syslog under under system -> logging then /var/log/ltm by default will go to syslog server?

     

    • cdougall_14195's avatar
      cdougall_14195
      Icon for Cirrus rankCirrus
      yep. That's correct. There's quite a bit that will get sent to the syslog server once you get that set up. Below are the docs for setting up the remote syslog, as well as how to filter it. Hope this helps. https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13080.html?sr=42612466 https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13333.html
    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Can you please help me. I want to send only LTM and Audit Logs (admin activities) to remote syslog server. How I can filter the syslog setting. Appreciated your reply
  • I want to send only LTM and Audit Logs (admin activities) to remote syslog server. How I can filter the syslog setting.

    can you try something like this? it filters ltm (local0) and audit logs.

    sol13333: Filtering log messages sent to remote syslog servers (11.x)

    https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13333.html
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog include
    sys syslog {
        include "
    destination d_remote_loghost {
      udp(\"172.28.24.1\" port(514));
    };
    log {
      source(s_syslog_pipe);
      filter(f_local0);
      filter(f_no_audit);
      filter(f_no_msgbusd);
      filter(f_no_icrd);
      filter(f_no_urlfilter);
      filter(f_no_ipsec);
      destination(d_remote_loghost);
    };
    log {
      source(s_syslog_pipe);
      filter(f_audit);
      destination(d_remote_loghost);
    };
    "
    }
    
    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Hi Nitass Thanks for the reply. Could you please let me know what is f_local0 and so on. These are keywords?
  • I want to send only LTM and Audit Logs (admin activities) to remote syslog server. How I can filter the syslog setting.

    can you try something like this? it filters ltm (local0) and audit logs.

    sol13333: Filtering log messages sent to remote syslog servers (11.x)

    https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13333.html
    root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog include
    sys syslog {
        include "
    destination d_remote_loghost {
      udp(\"172.28.24.1\" port(514));
    };
    log {
      source(s_syslog_pipe);
      filter(f_local0);
      filter(f_no_audit);
      filter(f_no_msgbusd);
      filter(f_no_icrd);
      filter(f_no_urlfilter);
      filter(f_no_ipsec);
      destination(d_remote_loghost);
    };
    log {
      source(s_syslog_pipe);
      filter(f_audit);
      destination(d_remote_loghost);
    };
    "
    }
    
    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Hi Nitass Thanks for the reply. Could you please let me know what is f_local0 and so on. These are keywords?
    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      it is defined in /etc/syslog-ng/syslog-ng.conf
  • Just configure (/Common)(tmos.sys) edit /sys syslog all-properties

    Go to the line that says "include none" and replace that line with:

    include "
    destination remote_server {
        udp(\"IP-OF-SYSLOG-SERVER\" port (514));
    };
    filter f_ltm {
        facility(local0) and level(emerg..info); }; log {
        source(local);
        filter(f_ltm);
        destination(remote_server);
    };
    "