Irule to log requests made to specific URL

Cool thanks...

Ok,, I implemented this IRULE last night and it doesn't appear to be sending the logs to the syslog server. I can't tell if its a criteria issue or a syslog issue, I have to do some checking.. But I was wondering if there was something else I needed to do, a step I missed.. for example, did I need to configure the remote syslog somewhere else before I implemented this IRULE?

 

 

what is your bigip version ?

 

 

you need to be in version 9.4.4 at least to be able to do it

9.4.3 hahahahhaha dang... so what options do I have (besides upgrading)?

the only option remaining will be to send your irule logging on a local facility which is not used

 

FYI local1 is used for enterprise manager and should log by default in /var/log/em

 

local2 -> GTM module /var/log/gtm

 

local3 -> ASM module /var/log/asm

 

 

Then you configure your syslog ng to send messages with this facility to a remote syslog server.

 

 

It will probably be less efficient but should work

Interesting.. Can't say that I've done that but let me see what it entails.. Thanks for the advice..

Those links may help you:

 

overview of syslog-ng.conf file : Click here

 

how to send to a remote syslog server: Click here

ok,, got this configured but the logs are not being forwarded to the remote syslog... I used the bottom section of SQOL5527 any ideas?

 

 

Configuring the BIG-IP to send specific logs to remote servers

 

 

You can specify which log files the syslog utility should send to (rather than sending all traffic to a remote syslog server and parsing out only the log files you want to capture). This configuration reduces filtering overhead if only specific log filters are needed or required.

 

 

To configure the BIG-IP system to send specific logs to remote servers, perform the following procedure:

 

 

1. Log in to the command line.

 

2. Change directories to the /etc/syslog-ng/ directory by typing the following command:

 

 

cd /etc/syslog-ng/

 

3. Back up the current syslog-ng.conf file by typing the following command:

 

 

cp syslog-ng.conf syslog-ng.conf.original

 

4. Using a text editor, open the syslog-ng.conf file.

 

5. Locate the following syntax, which is located before the various log files and their options are specified:

 

 

options {

 

dir_perm(0755);

 

perm(0644);

 

chain_hostnames(no);

 

keep_hostname(yes);

 

stats(0);

 

log_fifo_size(2048);

 

};

 

source local {

 

unix-stream("/dev/log");

 

pipe("/proc/kmsg");

 

udp(ip(127.0.0.1) port(514));

 

udp(ip(127.2.0.2) port(514));

 

internal();

 

};

 

 

6. Add the following destination entry on a new line after the syntax in Step 5:

 

 

destination remote_server {

 

udp("x.x.x.x" port (514));

 

};

 

 

Note: Replace x.x.x.x with the IP address of the remote log server.

 

7. Locate the log section of the specific message section that you want to send to a remote server and update the destination option.

 

 

For example:

 

 

Add a remote destination server so all log information for the /var/log/ltm file will be recorded to the /var/log/ltm file and be sent to a remote server.

 

Original /var/log/ltm entry in syslog-ng.conf:

 

 

local0.* /var/log/ltm

 

filter f_local0 {

 

facility(local0) and level(debug..emerg);

 

};

 

filter f_no_audit {

 

not match("AUDIT");

 

};

 

destination d_ltm {

 

file("/var/log/ltm" create_dirs(yes));

 

};

 

log {

 

source(local);

 

filter(f_local0);

 

filter(f_no_audit);

 

destination(d_ltm);

 

};

 

 

Change the destination entry located under the log section to include the new destination filter created in Step 6:

 

 

local0.* /var/log/ltm

 

filter f_local0 {

 

facility(local0) and level(debug..emerg);

 

};

 

filter f_no_audit {

 

not match("AUDIT");

 

};

 

destination d_ltm {

 

file("/var/log/ltm" create_dirs(yes));

 

};

 

log {

 

source(local);

 

filter(f_local0);

 

filter(f_no_audit);

 

destination(d_ltm);

 

destination(remote_server);

 

};

 

 

8. Repeat Step 7 for each log file you want to send a copy of the log information to a remote log server.

 

9. Save the changes made to the syslog-ng.conf file.

 

10. Restart syslog-ng with the following command:

 

 

bigstart restart syslog-ng