Here’s an explanation of how to send LTM’s local logs to remote syslog servers.
LTM devices are using syslog-ng daemon , however I’m not familiar with syslog-ng ….
[root@ltm1:Active] config # chkconfig --list | grep syslog
syslog-ng 0:off 1:off 2:on 3:on 4:on 5:on 6:off
|
To configure syslog settings , I need to use bigpipe command.
[root@ltm1:Active] config # head -5 /etc/syslog-ng/syslog-ng.conf
#
# THIS IS AN AUTO-GENERATED FILE -- DO NOT EDIT!!!
#
# Use the bigpipe shell utility to make changes to the system configuration.
# For more information, see bigpipe syslog help.
|
I want to send logs related to TMOS ( LTM ) to remote servers.
What kind of facilities should I send ?
Seen from /etc/syslog-ng/syslog-ng.conf , it seems that LTM related logs are stored in /var/log/ltm. And facility is ,,, local0 ??
syslog-ng.conf
# local0.* /var/log/ltm
filter f_local0 {
facility(local0);
};
filter f_no_audit {
not match("AUDIT");
};
destination d_ltm {
file("/var/log/ltm" create_dirs(yes));
};
log {
source(s_syslog_pipe);
filter(f_local0);
filter(f_no_audit);
destination(d_ltm);
};
|
Let’s make a include file for syslog-ng and then change configuration with bigpipe command.
LTM ---- remote syslog daemon ( Scientific Linux 6 )
LTM self IP : 10.0.0.1
syslog : 10.0.0.10
make the include file.
[root@ltm1:Active] config # vi /var/tmp/syslog-remote.conf
syslog include "
destination d_syslog_server {
udp(\"10.0.0.10\" port (514));
};
log {
source(s_syslog_pipe);
filter(f_local0) ;
filter(f_no_audit);
destination(d_syslog_server);
};
“
|
check the current syslog configuration.
[root@ltm1:Active] config # b syslog show
SYSLOG
[root@ltm1:Active] config # b syslog list
syslog {}
[root@ltm1:Active] config # b syslog include show
SYSLOG - Include Data: list
[root@ltm1:Active] config # b syslog remote server show
SYSLOG - Remote Server: none
|
For more details , please check an output of “b syslog help”
import the include file using bpsh command ( bigpipe shell )
[root@ltm1:Active] config # bpsh < /var/tmp/syslog-remote.conf
|
check the configuration.
[root@ltm1:Active] config # b syslog remote server show
SYSLOG - Remote Server: none
[root@ltm1:Active] config # b syslog include show
SYSLOG - Include Data:
destination d_syslog_server {
udp("10.0.0.10" port (514));
};
log {
source(s_syslog_pipe);
filter(f_local0);
filter(f_no_audit);
destination(d_syslog_server);
};
|
send log messages with logger command.
[root@ltm1:Active] config # logger -s -p local0.warning "local0 warning"
root: local0 warning
[root@ltm1:Active] config # logger -s -p local4.warning "local4 warning"
root: local4 warning
|
cap data on the syslog server
[root@sl6-1 ~]# tshark -i eth0 port 514
Capturing on eth0
0.000000 10.0.0.1 -> 10.0.0.10 Syslog LOCAL0.WARNING: Jan 19 02:43:33 local/ltm1 warning root: test local0 warning\n
|
LTM sent syslog messages which facility is local0 to the syslog server and did not send syslog messages which facility is local4.
save configuration
[root@ltm1:Active] config # egrep -i syslog *.conf
[root@ltm1:Active] config # b save all
[root@ltm1:Active] config # egrep -i syslog *.conf
bigip_sys.conf:syslog {
bigip_sys.conf:destination d_syslog_server {
bigip_sys.conf: source(s_syslog_pipe);
bigip_sys.conf: destination(d_syslog_server);
[root@ltm1:Active] config # cat bigip_sys.conf
syslog {
include "
destination d_syslog_server {
udp(\"10.0.0.10\" port (514));
};
log {
source(s_syslog_pipe);
filter(f_local0);
filter(f_no_audit);
destination(d_syslog_server);
};
"
|
.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.