lost and found ( for me ? )

BIG-IP 10.1 : How to send LTM’s local logs to remote syslog servers


Here’s an explanation of how to send LTM’s local logs to remote syslog servers.

LTM devices are using syslog-ng daemon , however I’m not familiar with syslog-ng ….
[root@ltm1:Active] config # chkconfig --list | grep syslog
syslog-ng       0:off   1:off   2:on    3:on    4:on    5:on    6:off

To configure syslog settings , I need to use bigpipe command.
[root@ltm1:Active] config # head -5 /etc/syslog-ng/syslog-ng.conf
#
# THIS IS AN AUTO-GENERATED FILE -- DO NOT EDIT!!!
#
# Use the bigpipe shell utility to make changes to the system configuration.
# For more information, see bigpipe syslog help.


I want to send logs related to TMOS ( LTM ) to remote servers.
What kind of facilities should I send ?
Seen from /etc/syslog-ng/syslog-ng.conf , it seems that LTM related logs are stored in /var/log/ltm. And facility is ,,, local0 ??

syslog-ng.conf
# local0.*                                      /var/log/ltm
filter f_local0 {
  facility(local0);
};

filter f_no_audit {
  not match("AUDIT");
};

destination d_ltm {
  file("/var/log/ltm" create_dirs(yes));
};

log {
  source(s_syslog_pipe);
  filter(f_local0);
  filter(f_no_audit);
  destination(d_ltm);
};


Let’s make a include file for syslog-ng and then change configuration with bigpipe command.
LTM ---- remote syslog daemon ( Scientific Linux 6 )

LTM self IP : 10.0.0.1
syslog : 10.0.0.10

make the include file.
[root@ltm1:Active] config # vi /var/tmp/syslog-remote.conf
syslog include "
destination d_syslog_server {
   udp(\"10.0.0.10\" port (514));
};
log {
   source(s_syslog_pipe);
   filter(f_local0) ;
   filter(f_no_audit);
   destination(d_syslog_server);
};


check the current syslog configuration.
[root@ltm1:Active] config # b syslog show
SYSLOG
[root@ltm1:Active] config # b syslog list
syslog {}
[root@ltm1:Active] config # b syslog include show
SYSLOG - Include Data: list
[root@ltm1:Active] config # b syslog remote server show
SYSLOG - Remote Server: none


For more details , please check an output of “b syslog help”
import the include file using bpsh command ( bigpipe shell )
[root@ltm1:Active] config # bpsh < /var/tmp/syslog-remote.conf


check the configuration.
[root@ltm1:Active] config # b syslog remote server show
SYSLOG - Remote Server: none
[root@ltm1:Active] config # b syslog include show
SYSLOG - Include Data:

destination d_syslog_server {
   udp("10.0.0.10" port (514));
};
log {
   source(s_syslog_pipe);
   filter(f_local0);
   filter(f_no_audit);
   destination(d_syslog_server);
};


send log messages with logger command.
[root@ltm1:Active] config # logger -s -p local0.warning "local0 warning"
root: local0 warning
[root@ltm1:Active] config # logger -s -p local4.warning "local4 warning"
root: local4 warning


cap data on the syslog server
[root@sl6-1 ~]# tshark -i eth0 port 514
Capturing on eth0
 0.000000     10.0.0.1 -> 10.0.0.10    Syslog LOCAL0.WARNING: Jan 19 02:43:33 local/ltm1 warning root: test local0 warning\n


LTM sent syslog messages which facility is local0 to the syslog server and did not send syslog messages which facility is local4.

save configuration
[root@ltm1:Active] config # egrep -i syslog *.conf

[root@ltm1:Active] config # b save all

[root@ltm1:Active] config # egrep -i syslog *.conf
bigip_sys.conf:syslog {
bigip_sys.conf:destination d_syslog_server {
bigip_sys.conf:    source(s_syslog_pipe);
bigip_sys.conf:    destination(d_syslog_server);

[root@ltm1:Active] config # cat bigip_sys.conf
syslog {
  include "
destination d_syslog_server {
   udp(\"10.0.0.10\" port (514));
};
log {
   source(s_syslog_pipe);
   filter(f_local0);
   filter(f_no_audit);
   destination(d_syslog_server);
};
"

.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.