Wednesday 2 October 2019

F5 BIGIP – Send logs to custom syslog file

For debugging purposes (or to simply to organize logs as you prefer) it would be interesting to send certain syslog messages to a custom file instead of the default ones like /var/log/ltm or /var/log/apm

Contents 

Desired goal

This example shows the way to send syslog messages starting with the string #DEBUG# to the file /var/log/customlog
(You can replace both string and file name in this example with the values you want)

Configure syslog

Configure some syslog parameters by running the following command:
# tmsh modify sys syslog include '"
filter f_local0 {
facility(local0) and not match(\": #DEBUG#\");
};

filter f_local0_customlog {
facility(local0) and match(\": #DEBUG#\");
};

destination d_customlog {
file(\"/var/log/customlog\" create_dirs(yes));
};

log {
source(local);
filter(f_local0_customlog);
destination(d_customlog);
};
"'
In case you need to revert the syslog configuration changes:
# tmsh modify sys syslog include none

Example of IRule to log to custom file

This is a simple IRule that logs the URLs tried to be accesed in the virtual server where the IRule has been applied:
when HTTP_REQUEST {
log local0.info "[IP::client_addr] [HTTP::host][HTTP::uri]"
}
As expected, this lines would be logged to /var/log/ltm file
To send those messages to the custom log file, it is as simple as prepending the configured syslog string (in this example #DEBUG#):
when HTTP_REQUEST {
log local0.info "#DEBUG# [IP::client_addr] [HTTP::host][HTTP::uri]"
}

Check logs

After applying this last example IRule, new messages would be logged to the custom file:
# tail -f /var/log/customlog
Nov  8 09:33:03 BigIP1 tmm1[12686]: Rule /Common/IRULE_TEST_LOG <HTTP_REQUEST>: #DEBUG# 10.2.4.10 myweb.domain.com/folder

No comments:

Post a Comment

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...