Difference between revisions of "Custom Syslog Configuration"

From Tech-Wiki
Jump to: navigation, search
(Created page with "Category:F5 Networks Using the standard method of syslog configuration on an F5 device, the device will normally send its syslog messages to one device and also on the same ...")
(No difference)

Revision as of 06:46, 28 January 2011


Using the standard method of syslog configuration on an F5 device, the device will normally send its syslog messages to one device and also on the same level that they have been generated on the device.

What happens if you want to send to a different facility level on a remote host ?

You can use the command and configuration below to achieve this.

b syslog include '"
template t_emerg {
template(\"<176>$DATE $HOST $MSGHDR$MSG\n\");
template_escape(no);
};
template t_alert {
template(\"<177>$DATE $HOST $MSGHDR$MSG\n\");
template_escape(no);
};
template t_crit {
template(\"<178>$DATE $HOST $MSGHDR$MSG\n\");
template_escape(no);
};
template t_err {
template(\"<179>$DATE $HOST $MSGHDR$MSG\n\");
template_escape(no);
};
template t_warning {
template(\"<180>$DATE $HOST $MSGHDR$MSG\n\");
template_escape(no);
};
template t_notice {
template(\"<181>$DATE $HOST $MSGHDR$MSG\n\");
template_escape(no);
};
destination remote_server_emerg {
udp(\"SYSLOG IP\" port (514) template(t_emerg));
};
destination remote_server_alert {
udp(\"SYSLOG IP\" port (514) template(t_alert));
};
destination remote_server_crit {
udp(\"SYSLOG IP\" port (514) template(t_crit));
};
destination remote_server_err {
udp(\"SYSLOG IP\" port (514) template(t_err));
};
destination remote_server_warning {
udp(\"SYSLOG IP\" port (514) template(t_warning));
};
destination remote_server_notice {
udp(\"SYSLOG IP\" port (514) template(t_notice));
};
filter f_logs_emerg {
level (emerg);
};
filter f_logs_alert {
level (alert);
};
filter f_logs_crit {
level (crit);
};
filter f_logs_err {
level (err);
};
filter f_logs_warning {
level (warning);
};
filter f_logs_notice {
level (notice);
};
log {
source(local);
filter(f_logs_emerg);
destination(remote_server_emerg);
};
log {
source(local);
filter(f_logs_alert);
destination(remote_server_alert);
};
log {
source(local);
filter(f_logs_crit);
destination(remote_server_crit);
};
log {
source(local);
filter(f_logs_err);
destination(remote_server_err);
};
log {
source(local);
filter(f_logs_warning);
destination(remote_server_warning);
};
log {
source(local);
filter(f_logs_notice);
destination(remote_server_notice);
};"'

This configuration with the use of a priority number (The number inside <>), to replace the priority on ALL syslog messages sent out. Using the current numbers this will send all messages to local6.info.

This priority number can be calculated using the following formula:

(numeric value of facility) * 8 + (numeric value of severity)

The numeric vaules are listed in the tables below.

Table 1. syslog Message Facilities
Numerical Code Facility
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
10 security/authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16 local use 0 (local0)
17 local use 1 (local1)
18 local use 2 (local2)
19 local use 3 (local3)
20 local use 4 (local4)
21 local use 5 (local5)
22 local use 6 (local6)
23 local use 7 (local7)


Table 2. syslog Message Severities
Numerical Code Severity
0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages


External links