ok,, got this configured but the logs are not being forwarded to the remote syslog... I used the bottom section of SQOL5527 any ideas?
Configuring the BIG-IP to send specific logs to remote servers
You can specify which log files the syslog utility should send to (rather than sending all traffic to a remote syslog server and parsing out only the log files you want to capture). This configuration reduces filtering overhead if only specific log filters are needed or required.
To configure the BIG-IP system to send specific logs to remote servers, perform the following procedure:
1. Log in to the command line.
2. Change directories to the /etc/syslog-ng/ directory by typing the following command:
cd /etc/syslog-ng/
3. Back up the current syslog-ng.conf file by typing the following command:
cp syslog-ng.conf syslog-ng.conf.original
4. Using a text editor, open the syslog-ng.conf file.
5. Locate the following syntax, which is located before the various log files and their options are specified:
options {
dir_perm(0755);
perm(0644);
chain_hostnames(no);
keep_hostname(yes);
stats(0);
log_fifo_size(2048);
};
source local {
unix-stream("/dev/log");
pipe("/proc/kmsg");
udp(ip(127.0.0.1) port(514));
udp(ip(127.2.0.2) port(514));
internal();
};
6. Add the following destination entry on a new line after the syntax in Step 5:
destination remote_server {
udp("x.x.x.x" port (514));
};
Note: Replace x.x.x.x with the IP address of the remote log server.
7. Locate the log section of the specific message section that you want to send to a remote server and update the destination option.
For example:
Add a remote destination server so all log information for the /var/log/ltm file will be recorded to the /var/log/ltm file and be sent to a remote server.
Original /var/log/ltm entry in syslog-ng.conf:
local0.* /var/log/ltm
filter f_local0 {
facility(local0) and level(debug..emerg);
};
filter f_no_audit {
not match("AUDIT");
};
destination d_ltm {
file("/var/log/ltm" create_dirs(yes));
};
log {
source(local);
filter(f_local0);
filter(f_no_audit);
destination(d_ltm);
};
Change the destination entry located under the log section to include the new destination filter created in Step 6:
local0.* /var/log/ltm
filter f_local0 {
facility(local0) and level(debug..emerg);
};
filter f_no_audit {
not match("AUDIT");
};
destination d_ltm {
file("/var/log/ltm" create_dirs(yes));
};
log {
source(local);
filter(f_local0);
filter(f_no_audit);
destination(d_ltm);
destination(remote_server);
};
8. Repeat Step 7 for each log file you want to send a copy of the log information to a remote log server.
9. Save the changes made to the syslog-ng.conf file.
10. Restart syslog-ng with the following command:
bigstart restart syslog-ng