Forum Discussion

ILIAS_g_183177's avatar
ILIAS_g_183177
Icon for Nimbostratus rankNimbostratus
Feb 26, 2015

Limit syslog messages

Hello,

I have set up the remote logging from the BigIP GUI and the syslog got many messages as shown below:

Feb 27 00:14:01 ltm1 debug crond[13387]: pam_unix(crond:session): session opened for user syscheck by (uid=0) Feb 27 00:14:01 ltm1 debug crond[13387]: pam_unix(crond:session): session closed for user syscheck Feb 27 00:15:01 ltm1 debug crond[13389]: pam_unix(crond:session): session opened for user root by (uid=0) Feb 27 00:15:01 ltm1 debug crond[13390]: pam_unix(crond:session): session opened for user root by (uid=0) Feb 27 00:15:01 ltm1 debug crond[13389]: pam_unix(crond:session): session closed for user root Feb 27 00:15:01 ltm1 debug crond[13390]: pam_unix(crond:session): session closed for user root Feb 27 00:16:02 ltm1 debug crond[13393]: pam_unix(crond:session): session opened for user syscheck by (uid=0) Feb 27 00:16:02 ltm1 debug crond[13393]: pam_unix(crond:session): session closed for user syscheck Feb 27 00:18:01 ltm1 debug crond[13395]: pam_unix(crond:session): session opened for user syscheck by (uid=0) Feb 27 00:18:01 ltm1 debug crond[13395]: pam_unix(crond:session): session closed for user syscheck Feb 27 00:20:01 ltm1 debug crond[13397]: pam_unix(crond:session): session opened for user root by (uid=0) Feb 27 00:20:01 ltm1 debug crond[13399]: pam_unix(crond:session): session opened for user syscheck by (uid=0) Feb 27 00:20:01 ltm1 debug crond[13398]: pam_unix(crond:session): session opened for user root by (uid=0) Feb 27 00:20:01 ltm1 debug crond[13397]: pam_unix(crond:session): session closed for user root Feb 27 00:20:01 ltm1 debug crond[13398]: pam_unix(crond:session): session closed for user root Feb 27 00:20:01 ltm1 debug crond[13399]: pam_unix(crond:session): session closed for user syscheck Feb 27 00:21:01 ltm1 debug crond[13411]: pam_unix(crond:session): session opened for user root by (uid=0) Feb 27 00:21:02 ltm1 debug crond[13411]: pam_unix(crond:session): session closed for user root Feb 27 00:22:01 ltm1 debug crond[13461]: pam_unix(crond:session): session opened for user syscheck by (uid=0)

I tried to limit these log messages (monitor only /var/ltm) by editing the syslog all-properties:

modify syslog { auth-priv-from notice auth-priv-to emerg console-log enabled cron-from warning cron-to emerg daemon-from notice daemon-to emerg description none include " filter f_local0 { facility(local0); };

log {
       source(s_syslog_pipe);
          filter(f_local0);
};
"
iso-date disabled
kern-from debug
kern-to emerg
local6-from notice
local6-to emerg
mail-from notice
mail-to emerg
messages-from notice
messages-to warning
remote-servers replace-all-with {
    remotesyslog1 {
        description none
        host x.x.x.x
        local-ip none
        remote-port 514
    }
}
user-log-from notice
user-log-to emerg

}

But I still have the same messages on the remote syslog. Do I have to review the configuration? What am I missing?

thank you.

3 Replies

  • the messages you see are from cron.

     

    In your config, try to add

     

    cron-from warning

     

    cron-to emerg

     

    That should be the default settings. To view the full syslog settings: "tmsh list sys syslog all-properties"

     

  • Thank you.

     

    I did that and now I can see that it doesn't produce such messages. But this TMSH configuration doesn't produce any GUI configuration, meaning that these changes are not shown anywhere in the Logs->Configuration. Is this how it works?

     

  • i understand log level in tmsh list sys syslog all-properties does not apply to remote syslog. syslog include is needed to filter remote syslog message.

    Note: The log levels displayed in the output of the bigpipe syslog list all command do not apply to remote syslog servers.
    

    sol8260: Configuring syslog settings from the command line (9.x - 10.x)

    https://support.f5.com/kb/en-us/solutions/public/8000/200/sol8260.html

    sol13333: Filtering log messages sent to remote syslog servers (11.x)

    https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13333.html