Forum Discussion

Frederic_Lemair's avatar
Frederic_Lemair
Icon for Nimbostratus rankNimbostratus
Jan 10, 2018

LTM - How to split syslog message per partition

Hello,

 

I'm currently configuring partitions on a VCMP and I successfully configured a separated syslog server per partition but It seems that the Big-IP is sending all the Local traffic logs for any partition to the destination syslog. Is there a way to configure the Big IP so that the syslog of partition A only receives messages related to partition A and not all the syslog related to a pool/node/vs/.. of the other partitions ? Is there a way to add partition ID to the local traffic logs and filter on it ?

 

The final goal is to deliver a partition to different tenant (clients) to provide us a LTM instance but we need that partition A can only see syslog of his partition and not from the others partitions.

 

Can anyone help ?

 

Thanks a lot Regards Frédéric

 

4 Replies

  • Hi Frédéric,

     

    Are you using HSL and Publishers for logging? You may have local syslog selected as a destination.

     

    Are you able to share you configuration?

     

    Thanks Lee

     

  • Hello Lee,

     

    I'm using partitioning on the VCMP. I'm having 2 partitions routed by 2 differents route-domain.

     

    With the following configuration, I'm able to send the syslog messages to 2 different syslog servers My problem is that each of the 2 syslog server are receiving the syslog message as well the messages related to partitionA pool/nodes/vs as well as the one from the partitionB pool/nodes/vs....

     

    The goal would be that partition A syslog only receives the logs from his local traffic (LTM) pool/nodes/vs and not the one of another partition.

     

    As this setup is to use for multi-tenant using partitions and route-domains to isolate traffic, tenant A should not have the "rights" to see log messages related to TenantB LTM object.

     

    The syslog configuration I did is the following ( hope you are seeing the screenshots):

     

    Log Filters :

     

     

     

     

    Log destinations :

     

     

     

    Log Publishers :

     

     

     

    Many thanks in advance. Regards Frédéric

     

    • Lee_Sutcliffe's avatar
      Lee_Sutcliffe
      Icon for Nacreous rankNacreous

      I've had a look at some other configurations and I'm not convinced that having a publisher or destination in a partition means it will only process logs for that partition.

       

      I believe it's more a case that the log destination is located in a particular partition. To quote the help section of Log Publisher in the GUI:

       

      Partition / Path: Specifies the partition or path to which the log publisher belongs.

       

      Log entries in /var/log/ltm are essentially partition agnostic, although they do list the partition as part of the entry (so could be filtered at destination). Essentially you're sending a copy of these logs to each of your syslog servers.

       

      Someone on here may be able to offer an alternate view but I'm not sure you can distinguish partition logs this way. That's not to say it can't be done.

       

      Are you able to filter log messages on the syslog server itself rather than at source?

       

      Having each tenant have their own vCMP guest would achieve what you need but you obviously have resource and licence constraints to attend with.

       

      Sorry if I couldn't be more helpful

       

  • Cannot see a way of doing this within the native F5 configuration directly but you can make changes to syslog-ng on the F5.

    See: K7342: Overview of the syslog-ng.conf file

    And: The syslog-ng Open Source Edition 3.7 Administrator Guide

    Chapter 8 of the syslog-ng Administrator Guide has details on filters, you can use these to identify log messages using match() or message() (both use regex to identify messages) for each partition and select the remote destination.

    A very simple example of additional entry to locate messages containing "/partition1/" and send to a remote server (NOTE: not done much with syslog-ng so this is only an example and likely need additional configuration to get working within the F5's syslog-ng.conf file):

    filter f_part1 {
        message("/partition1/");
    };
    destination d_remote1{
        network("10.1.2.3" transport("udp"));
    };
    log {
       source(s_syslog_pipe);
       filter(f_part1);
       destination(d_remote1);
    };