I'm running ver 11.5 & need to set syslog messages to only send authentication messages to my syslog server. Right now its sending everything & I don't have the storage to keep up. I'm only interested seeing logins & logouts so I know who & when someone is logging into my F5. I tried using "no" and "delete" in front of things I care not to have logged but that doesn't work in Linux. Any help is appreciated. Here is my current config below. root@(MTLF5DEV01)(cfg-sync Standalone)(Active)(/Common)(tmos) list /sys syslog all-properties sys syslog { auth-priv-from notice auth-priv-to emerg console-log enabled cron-from warning cron-to emerg daemon-from notice daemon-to emerg description none include none iso-date disabled kern-from debug kern-to emerg local6-from notice local6-to emerg mail-from notice mail-to emerg messages-from notice messages-to warning remote-servers { remotesyslog1 { description none host 192.168.152.36 local-ip none remote-port 514 } } user-log-from notice user-log-to emerg

can you try this one? K13333: Filtering log messages sent to remote syslog servers (11.x - 13.x) https://support.f5.com/csp/article/K13333

I did see the article I'm sorry. I was able to access vi through edit option like the article displays but I'm unsure if erasing all facilities except " aauth-priv-from notice" & "auth-priv-to emerg" then saving will cause only logins to be sent to the syslog server. Could you please advise?

Configure Syslog-ng to Only Show Logins & Log Outs

12 Replies

nitass_89166
Noctilucent
Jan 06, 2018
can you try this one?

K13333: Filtering log messages sent to remote syslog servers (11.x - 13.x)

https://support.f5.com/csp/article/K13333
- mario365_345588
  Nimbostratus
  Jan 06, 2018
  The link doesn't work
- mario365_345588
  Nimbostratus
  Jan 06, 2018
  I did see the article I'm sorry. I was able to access vi through edit option like the article displays but I'm unsure if erasing all facilities except " aauth-priv-from notice" & "auth-priv-to emerg" then saving will cause only logins to be sent to the syslog server. Could you please advise?
nitass
Employee
Jan 06, 2018
can you try this one?

K13333: Filtering log messages sent to remote syslog servers (11.x - 13.x)

https://support.f5.com/csp/article/K13333
- mario365_345588
  Nimbostratus
  Jan 06, 2018
  The link doesn't work
- mario365_345588
  Nimbostratus
  Jan 06, 2018
  I did see the article I'm sorry. I was able to access vi through edit option like the article displays but I'm unsure if erasing all facilities except " aauth-priv-from notice" & "auth-priv-to emerg" then saving will cause only logins to be sent to the syslog server. Could you please advise?

nitass

Employee

Jan 06, 2018

e.g.

1) check to see if there is existing filter in syslog-ng.conf that we can use.

[root@ve13a:Active:In Sync] config  awk '/ authpriv/,/^$/' /etc/syslog-ng/syslog-ng.conf
 authpriv.*                                    /var/log/secure
filter f_authpriv {
    (facility(auth, authpriv) and level(notice..emerg))
    or program(sshd)
    or (facility(auth,authpriv) and (program(httpd) or program(tamd)))
    or message("pam_audit")
    ;
};

2) craft syslog include configuration

sys syslog {
  include "
    destination d_loghost {
      udp("200.200.200.101" port(514));
    };
    log {
      source(s_syslog_pipe);
      filter(f_authpriv);
      destination(d_loghost);
    };
    "
}

3) merge the syslog include configuration into running configuration

root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog
sys syslog { }
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) load sys config from-terminal merge
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
sys syslog {
  include "
    destination d_loghost {
      udp("200.200.200.101" port(514));
    };
    log {
      source(s_syslog_pipe);
      filter(f_authpriv);
      destination(d_loghost);
    };
    "
}
Loading configuration...
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog
sys syslog {
    include "
    destination d_loghost {
      udp(200.200.200.101 port(514));
    };
    log {
      source(s_syslog_pipe);
      filter(f_authpriv);
      destination(d_loghost);
    };
    "
}

4) verify if only log we want is sent to remote syslog

// tcpdump
*please be noted that interface 0.0 is used here because remote syslog is connected via tmm interface (not mgmt interface)

[root@ve13a:Active:In Sync] config  tcpdump -nni 0.0 -s0 host 200.200.200.101 and port 514 -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:49:22.969608 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG authpriv.info, length: 209 out slot1/tmm0 lis=
        0x0000:  4500 00ed e223 4000 4011 35da c8c8 c80b  E....@.@.5.....
        0x0010:  c8c8 c865 96e4 0202 00d9 22ed 3c38 363e  ...e......".<86>
        0x0020:  4a61 6e20 2036 2031 303a 3439 3a32 3220  Jan..6.10:49:22.
        0x0030:  7665 3133 6120 696e 666f 2073 7368 6428  ve13a.info.sshd(
        0x0040:  7061 6d5f 6175 6469 7429 5b36 3135 335d  pam_audit)[6153]
        0x0050:  3a20 7573 6572 3d72 6f6f 7428 726f 6f74  :.user=root(root
        0x0060:  2920 7061 7274 6974 696f 6e3d 5b41 6c6c  ).partition=[All
        0x0070:  5d20 6c65 7665 6c3d 4164 6d69 6e69 7374  ].level=Administ
        0x0080:  7261 746f 7220 7474 793d 7373 6820 686f  rator.tty=ssh.ho
        0x0090:  7374 3d31 3732 2e31 362e 3230 342e 3333  st=172.16.204.33
        0x00a0:  2061 7474 656d 7074 733d 3120 7374 6172  .attempts=1.star
        0x00b0:  743d 2253 6174 204a 616e 2020 3620 3130  t="Sat.Jan..6.10
        0x00c0:  3a34 393a 3231 2032 3031 3822 2065 6e64  :49:21.2018".end
        0x00d0:  3d22 5361 7420 4a61 6e20 2036 2031 303a  ="Sat.Jan..6.10:
        0x00e0:  3439 3a32 3220 3230 3138 222e 0a01 0501  49:22.2018".....
        0x00f0:  0000 0000                                ....
10:49:22.969620 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG local0.info, length: 264 out slot1/tmm0 lis=
        0x0000:  4500 0124 e224 4000 4011 35a2 c8c8 c80b  E..$.$@.@.5.....
        0x0010:  c8c8 c865 96e4 0202 0110 2324 3c31 3334  ...e......$<134
        0x0020:  3e4a 616e 2020 3620 3130 3a34 393a 3232  >Jan..6.10:49:22
        0x0030:  2076 6531 3361 2069 6e66 6f20 7373 6864  .ve13a.info.sshd
        0x0040:  2870 616d 5f61 7564 6974 295b 3631 3533  (pam_audit)[6153
        0x0050:  5d3a 2030 3130 3730 3431 373a 363a 2041  ]:.01070417:6:.A
        0x0060:  5544 4954 202d 2075 7365 7220 726f 6f74  UDIT.-.user.root
        0x0070:  202d 2052 4157 3a20 7373 6864 2870 616d  .-.RAW:.sshd(pam
        0x0080:  5f61 7564 6974 293a 2075 7365 723d 726f  _audit):.user=ro
        0x0090:  6f74 2872 6f6f 7429 2070 6172 7469 7469  ot(root).partiti
        0x00a0:  6f6e 3d5b 416c 6c5d 206c 6576 656c 3d41  on=[All].level=A
        0x00b0:  646d 696e 6973 7472 6174 6f72 2074 7479  dministrator.tty
        0x00c0:  3d73 7368 2068 6f73 743d 3137 322e 3136  =ssh.host=172.16
        0x00d0:  2e32 3034 2e33 3320 6174 7465 6d70 7473  .204.33.attempts
        0x00e0:  3d31 2073 7461 7274 3d22 5361 7420 4a61  =1.start="Sat.Ja
        0x00f0:  6e20 2036 2031 303a 3439 3a32 3120 3230  n..6.10:49:21.20
        0x0100:  3138 2220 656e 643d 2253 6174 204a 616e  18".end="Sat.Jan
        0x0110:  2020 3620 3130 3a34 393a 3232 2032 3031  ..6.10:49:22.201
        0x0120:  3822 2e0a 0105 0100 0000 00              8".........
10:49:22.974077 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG authpriv.info, length: 178 out slot1/tmm0 lis=
        0x0000:  4500 00ce e226 4000 4011 35f6 c8c8 c80b  E....&@.@.5.....
        0x0010:  c8c8 c865 96e4 0202 00ba 22ce 3c38 363e  ...e......".<86>
        0x0020:  4a61 6e20 2036 2031 303a 3439 3a32 3220  Jan..6.10:49:22.
        0x0030:  7665 3133 6120 696e 666f 2073 7368 6428  ve13a.info.sshd(
        0x0040:  7061 6d5f 6175 6469 7429 5b36 3135 305d  pam_audit)[6150]
        0x0050:  3a20 7573 6572 3d72 6f6f 7428 726f 6f74  :.user=root(root
        0x0060:  2920 7061 7274 6974 696f 6e3d 5b41 6c6c  ).partition=[All
        0x0070:  5d20 6c65 7665 6c3d 4164 6d69 6e69 7374  ].level=Administ
        0x0080:  7261 746f 7220 7474 793d 7373 6820 686f  rator.tty=ssh.ho
        0x0090:  7374 3d31 3732 2e31 362e 3230 342e 3333  st=172.16.204.33
        0x00a0:  2061 7474 656d 7074 733d 3120 7374 6172  .attempts=1.star
        0x00b0:  743d 2253 6174 204a 616e 2020 3620 3130  t="Sat.Jan..6.10
        0x00c0:  3a34 393a 3232 2032 3031 3822 2e0a 0105  :49:22.2018"....
        0x00d0:  0100 0000 00                             .....
10:49:22.974086 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG local0.info, length: 233 out slot1/tmm0 lis=
        0x0000:  4500 0105 e227 4000 4011 35be c8c8 c80b  E....'@.@.5.....
        0x0010:  c8c8 c865 96e4 0202 00f1 2305 3c31 3334  ...e.......<134
        0x0020:  3e4a 616e 2020 3620 3130 3a34 393a 3232  >Jan..6.10:49:22
        0x0030:  2076 6531 3361 2069 6e66 6f20 7373 6864  .ve13a.info.sshd
        0x0040:  2870 616d 5f61 7564 6974 295b 3631 3530  (pam_audit)[6150
        0x0050:  5d3a 2030 3130 3730 3431 373a 363a 2041  ]:.01070417:6:.A
        0x0060:  5544 4954 202d 2075 7365 7220 726f 6f74  UDIT.-.user.root
        0x0070:  202d 2052 4157 3a20 7373 6864 2870 616d  .-.RAW:.sshd(pam
        0x0080:  5f61 7564 6974 293a 2075 7365 723d 726f  _audit):.user=ro
        0x0090:  6f74 2872 6f6f 7429 2070 6172 7469 7469  ot(root).partiti
        0x00a0:  6f6e 3d5b 416c 6c5d 206c 6576 656c 3d41  on=[All].level=A
        0x00b0:  646d 696e 6973 7472 6174 6f72 2074 7479  dministrator.tty
        0x00c0:  3d73 7368 2068 6f73 743d 3137 322e 3136  =ssh.host=172.16
        0x00d0:  2e32 3034 2e33 3320 6174 7465 6d70 7473  .204.33.attempts
        0x00e0:  3d31 2073 7461 7274 3d22 5361 7420 4a61  =1.start="Sat.Ja
        0x00f0:  6e20 2036 2031 303a 3439 3a32 3220 3230  n..6.10:49:22.20
        0x0100:  3138 222e 0a01 0501 0000 0000            18".........
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

// remote syslog

Jan  6 10:49:22 ve13a info sshd(pam_audit)[6153]: user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan  6 10:49:21 2018" end="Sat Jan  6 10:49:22 2018".
Jan  6 10:49:22 ve13a info sshd(pam_audit)[6153]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan  6 10:49:21 2018" end="Sat Jan  6 10:49:22 2018".
Jan  6 10:49:22 ve13a info sshd(pam_audit)[6150]: user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan  6 10:49:22 2018".
Jan  6 10:49:22 ve13a info sshd(pam_audit)[6150]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan  6 10:49:22 2018".

note: to rest syslog include, use syslog include none

root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) modify sys syslog include none
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog
sys syslog { }

mario365_345588
Nimbostratus
Jan 08, 2018
That worked! Thanks! I have one more request. I also need to log config changes from both CLI & GUI to the same syslog server. I have a guess on how its done (see below) but I'm not sure if I'm over simplifying it? Could you show me how to add more filters? Thank you.

sys syslog { include " destination d_loghost { udp("192.168.152.36" port(514)); }; log { source(s_syslog_pipe); filter(f_authpriv); filter(f_auditing); destination(d_loghost); }; " }
nitass
Employee
Jan 08, 2018
hope this helps.

HOW CAN TWO OR MORE FILTERS BE COMBINED?

https://www.balabit.com/wiki/syslog-ng-faq-filters

nitass_89166

Noctilucent

Jan 06, 2018

e.g.

1) check to see if there is existing filter in syslog-ng.conf that we can use.

[root@ve13a:Active:In Sync] config  awk '/ authpriv/,/^$/' /etc/syslog-ng/syslog-ng.conf
 authpriv.*                                    /var/log/secure
filter f_authpriv {
    (facility(auth, authpriv) and level(notice..emerg))
    or program(sshd)
    or (facility(auth,authpriv) and (program(httpd) or program(tamd)))
    or message("pam_audit")
    ;
};

2) craft syslog include configuration

sys syslog {
  include "
    destination d_loghost {
      udp("200.200.200.101" port(514));
    };
    log {
      source(s_syslog_pipe);
      filter(f_authpriv);
      destination(d_loghost);
    };
    "
}

3) merge the syslog include configuration into running configuration

root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog
sys syslog { }
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) load sys config from-terminal merge
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
sys syslog {
  include "
    destination d_loghost {
      udp("200.200.200.101" port(514));
    };
    log {
      source(s_syslog_pipe);
      filter(f_authpriv);
      destination(d_loghost);
    };
    "
}
Loading configuration...
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog
sys syslog {
    include "
    destination d_loghost {
      udp(200.200.200.101 port(514));
    };
    log {
      source(s_syslog_pipe);
      filter(f_authpriv);
      destination(d_loghost);
    };
    "
}

4) verify if only log we want is sent to remote syslog

// tcpdump
*please be noted that interface 0.0 is used here because remote syslog is connected via tmm interface (not mgmt interface)

[root@ve13a:Active:In Sync] config  tcpdump -nni 0.0 -s0 host 200.200.200.101 and port 514 -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:49:22.969608 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG authpriv.info, length: 209 out slot1/tmm0 lis=
        0x0000:  4500 00ed e223 4000 4011 35da c8c8 c80b  E....@.@.5.....
        0x0010:  c8c8 c865 96e4 0202 00d9 22ed 3c38 363e  ...e......".<86>
        0x0020:  4a61 6e20 2036 2031 303a 3439 3a32 3220  Jan..6.10:49:22.
        0x0030:  7665 3133 6120 696e 666f 2073 7368 6428  ve13a.info.sshd(
        0x0040:  7061 6d5f 6175 6469 7429 5b36 3135 335d  pam_audit)[6153]
        0x0050:  3a20 7573 6572 3d72 6f6f 7428 726f 6f74  :.user=root(root
        0x0060:  2920 7061 7274 6974 696f 6e3d 5b41 6c6c  ).partition=[All
        0x0070:  5d20 6c65 7665 6c3d 4164 6d69 6e69 7374  ].level=Administ
        0x0080:  7261 746f 7220 7474 793d 7373 6820 686f  rator.tty=ssh.ho
        0x0090:  7374 3d31 3732 2e31 362e 3230 342e 3333  st=172.16.204.33
        0x00a0:  2061 7474 656d 7074 733d 3120 7374 6172  .attempts=1.star
        0x00b0:  743d 2253 6174 204a 616e 2020 3620 3130  t="Sat.Jan..6.10
        0x00c0:  3a34 393a 3231 2032 3031 3822 2065 6e64  :49:21.2018".end
        0x00d0:  3d22 5361 7420 4a61 6e20 2036 2031 303a  ="Sat.Jan..6.10:
        0x00e0:  3439 3a32 3220 3230 3138 222e 0a01 0501  49:22.2018".....
        0x00f0:  0000 0000                                ....
10:49:22.969620 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG local0.info, length: 264 out slot1/tmm0 lis=
        0x0000:  4500 0124 e224 4000 4011 35a2 c8c8 c80b  E..$.$@.@.5.....
        0x0010:  c8c8 c865 96e4 0202 0110 2324 3c31 3334  ...e......$<134
        0x0020:  3e4a 616e 2020 3620 3130 3a34 393a 3232  >Jan..6.10:49:22
        0x0030:  2076 6531 3361 2069 6e66 6f20 7373 6864  .ve13a.info.sshd
        0x0040:  2870 616d 5f61 7564 6974 295b 3631 3533  (pam_audit)[6153
        0x0050:  5d3a 2030 3130 3730 3431 373a 363a 2041  ]:.01070417:6:.A
        0x0060:  5544 4954 202d 2075 7365 7220 726f 6f74  UDIT.-.user.root
        0x0070:  202d 2052 4157 3a20 7373 6864 2870 616d  .-.RAW:.sshd(pam
        0x0080:  5f61 7564 6974 293a 2075 7365 723d 726f  _audit):.user=ro
        0x0090:  6f74 2872 6f6f 7429 2070 6172 7469 7469  ot(root).partiti
        0x00a0:  6f6e 3d5b 416c 6c5d 206c 6576 656c 3d41  on=[All].level=A
        0x00b0:  646d 696e 6973 7472 6174 6f72 2074 7479  dministrator.tty
        0x00c0:  3d73 7368 2068 6f73 743d 3137 322e 3136  =ssh.host=172.16
        0x00d0:  2e32 3034 2e33 3320 6174 7465 6d70 7473  .204.33.attempts
        0x00e0:  3d31 2073 7461 7274 3d22 5361 7420 4a61  =1.start="Sat.Ja
        0x00f0:  6e20 2036 2031 303a 3439 3a32 3120 3230  n..6.10:49:21.20
        0x0100:  3138 2220 656e 643d 2253 6174 204a 616e  18".end="Sat.Jan
        0x0110:  2020 3620 3130 3a34 393a 3232 2032 3031  ..6.10:49:22.201
        0x0120:  3822 2e0a 0105 0100 0000 00              8".........
10:49:22.974077 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG authpriv.info, length: 178 out slot1/tmm0 lis=
        0x0000:  4500 00ce e226 4000 4011 35f6 c8c8 c80b  E....&@.@.5.....
        0x0010:  c8c8 c865 96e4 0202 00ba 22ce 3c38 363e  ...e......".<86>
        0x0020:  4a61 6e20 2036 2031 303a 3439 3a32 3220  Jan..6.10:49:22.
        0x0030:  7665 3133 6120 696e 666f 2073 7368 6428  ve13a.info.sshd(
        0x0040:  7061 6d5f 6175 6469 7429 5b36 3135 305d  pam_audit)[6150]
        0x0050:  3a20 7573 6572 3d72 6f6f 7428 726f 6f74  :.user=root(root
        0x0060:  2920 7061 7274 6974 696f 6e3d 5b41 6c6c  ).partition=[All
        0x0070:  5d20 6c65 7665 6c3d 4164 6d69 6e69 7374  ].level=Administ
        0x0080:  7261 746f 7220 7474 793d 7373 6820 686f  rator.tty=ssh.ho
        0x0090:  7374 3d31 3732 2e31 362e 3230 342e 3333  st=172.16.204.33
        0x00a0:  2061 7474 656d 7074 733d 3120 7374 6172  .attempts=1.star
        0x00b0:  743d 2253 6174 204a 616e 2020 3620 3130  t="Sat.Jan..6.10
        0x00c0:  3a34 393a 3232 2032 3031 3822 2e0a 0105  :49:22.2018"....
        0x00d0:  0100 0000 00                             .....
10:49:22.974086 IP 200.200.200.11.38628 > 200.200.200.101.514: SYSLOG local0.info, length: 233 out slot1/tmm0 lis=
        0x0000:  4500 0105 e227 4000 4011 35be c8c8 c80b  E....'@.@.5.....
        0x0010:  c8c8 c865 96e4 0202 00f1 2305 3c31 3334  ...e.......<134
        0x0020:  3e4a 616e 2020 3620 3130 3a34 393a 3232  >Jan..6.10:49:22
        0x0030:  2076 6531 3361 2069 6e66 6f20 7373 6864  .ve13a.info.sshd
        0x0040:  2870 616d 5f61 7564 6974 295b 3631 3530  (pam_audit)[6150
        0x0050:  5d3a 2030 3130 3730 3431 373a 363a 2041  ]:.01070417:6:.A
        0x0060:  5544 4954 202d 2075 7365 7220 726f 6f74  UDIT.-.user.root
        0x0070:  202d 2052 4157 3a20 7373 6864 2870 616d  .-.RAW:.sshd(pam
        0x0080:  5f61 7564 6974 293a 2075 7365 723d 726f  _audit):.user=ro
        0x0090:  6f74 2872 6f6f 7429 2070 6172 7469 7469  ot(root).partiti
        0x00a0:  6f6e 3d5b 416c 6c5d 206c 6576 656c 3d41  on=[All].level=A
        0x00b0:  646d 696e 6973 7472 6174 6f72 2074 7479  dministrator.tty
        0x00c0:  3d73 7368 2068 6f73 743d 3137 322e 3136  =ssh.host=172.16
        0x00d0:  2e32 3034 2e33 3320 6174 7465 6d70 7473  .204.33.attempts
        0x00e0:  3d31 2073 7461 7274 3d22 5361 7420 4a61  =1.start="Sat.Ja
        0x00f0:  6e20 2036 2031 303a 3439 3a32 3220 3230  n..6.10:49:22.20
        0x0100:  3138 222e 0a01 0501 0000 0000            18".........
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

// remote syslog

Jan  6 10:49:22 ve13a info sshd(pam_audit)[6153]: user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan  6 10:49:21 2018" end="Sat Jan  6 10:49:22 2018".
Jan  6 10:49:22 ve13a info sshd(pam_audit)[6153]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan  6 10:49:21 2018" end="Sat Jan  6 10:49:22 2018".
Jan  6 10:49:22 ve13a info sshd(pam_audit)[6150]: user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan  6 10:49:22 2018".
Jan  6 10:49:22 ve13a info sshd(pam_audit)[6150]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=172.16.204.33 attempts=1 start="Sat Jan  6 10:49:22 2018".

note: to rest syslog include, use syslog include none

root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) modify sys syslog include none
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys syslog
sys syslog { }

mario365_345588
Nimbostratus
Jan 08, 2018
That worked! Thanks! I have one more request. I also need to log config changes from both CLI & GUI to the same syslog server. I have a guess on how its done (see below) but I'm not sure if I'm over simplifying it? Could you show me how to add more filters? Thank you.

sys syslog { include " destination d_loghost { udp("192.168.152.36" port(514)); }; log { source(s_syslog_pipe); filter(f_authpriv); filter(f_auditing); destination(d_loghost); }; " }
nitass_89166
Noctilucent
Jan 08, 2018
hope this helps.

HOW CAN TWO OR MORE FILTERS BE COMBINED?

https://www.balabit.com/wiki/syslog-ng-faq-filters

Forum Discussion

Configure Syslog-ng to Only Show Logins & Log Outs

12 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Can iRule mask the payload content on event logs of security

Related Content

Syslog NG Email Configuration

Configuring syslog-ng to email messages

Could you recommend the syslog-ng guide in the above situation?

Insufficient permissions BIG-IQ login error

F5 APM Syslog-NG parser