Forum Discussion

hmrad_233939's avatar
hmrad_233939
Icon for Nimbostratus rankNimbostratus
Sep 19, 2016

Filtering specific SSH connections from log messages

Hello,

 

To monitor the SSH service on our F5 boxes, our monitoring server periodically conducts SSH connection attempts that are logged locally (/var/log/ltm) and remotely via a Syslog server. Since these logs are not really useful, we would like to not display them locally and not send them to the syslog server

 

Mon Sep 5 04:27:30 CEST 2016 info F5-DEVICE sshd[5138] Did not receive identification string from IP_MONITORING_SERVER

 

Mon Sep 5 04:32:30 CEST 2016 info F5-DEVICE sshd[5179] Did not receive identification string from IP_MONITORING_SERVER

 

Mon Sep 5 04:37:30 CEST 2016 info F5-DEVICE sshd[5194] Did not receive identification string from IP_MONITORING_SERVER

 

Mon Sep 5 04:42:30 CEST 2016 info F5-DEVICE sshd[5233] Did not receive identification string from IP_MONITORING_SERVER

 

I know that with the include command "filter filter_name {..}; log {filter (filter_name)};" it's possible to apply filters to the logs but I do not find a way to filter for this scenario.

 

Is there a way to suppress these specific SSH connections initiated from our monitoring server?

 

I found an example (sol16932) that might look like what I want but in my opinion, we should have the good arguments to put in the filter command.

 

Thanking you in advance