Custom Syslog Configuration

From Tech-Wiki
Revision as of 02:24, 8 August 2016 by Fabricio.Lima (Talk | contribs)

Jump to: navigation, search


Using the standard method of syslog configuration on an F5 device, the device will normally send it's syslog messages to one syslog server using the same facility and level that they were generated on the F5.

What happens if you want to send to a different facility level on a remote host ?

You can use the command and configuration below to achieve this.

b syslog include '"
template t_emerg {
template(\"<176>$DATE $HOST $MSGHDR$MSG\n\");
template_escape(no);
};
template t_alert {
template(\"<177>$DATE $HOST $MSGHDR$MSG\n\");
template_escape(no);
};
template t_crit {
template(\"<178>$DATE $HOST $MSGHDR$MSG\n\");
template_escape(no);
};
template t_err {
template(\"<179>$DATE $HOST $MSGHDR$MSG\n\");
template_escape(no);
};
template t_warning {
template(\"<180>$DATE $HOST $MSGHDR$MSG\n\");
template_escape(no);
};
template t_notice {
template(\"<181>$DATE $HOST $MSGHDR$MSG\n\");
template_escape(no);
};
destination remote_server_emerg {
udp(\"SYSLOG IP\" port (514) template(t_emerg));
};
destination remote_server_alert {
udp(\"SYSLOG IP\" port (514) template(t_alert));
};
destination remote_server_crit {
udp(\"SYSLOG IP\" port (514) template(t_crit));
};
destination remote_server_err {
udp(\"SYSLOG IP\" port (514) template(t_err));
};
destination remote_server_warning {
udp(\"SYSLOG IP\" port (514) template(t_warning));
};
destination remote_server_notice {
udp(\"SYSLOG IP\" port (514) template(t_notice));
};
filter f_logs_emerg {
level (emerg);
};
filter f_logs_alert {
level (alert);
};
filter f_logs_crit {
level (crit);
};
filter f_logs_err {
level (err);
};
filter f_logs_warning {
level (warning);
};
filter f_logs_notice {
level (notice);
};
log {
source(local);
filter(f_logs_emerg);
destination(remote_server_emerg);
};
log {
source(local);
filter(f_logs_alert);
destination(remote_server_alert);
};
log {
source(local);
filter(f_logs_crit);
destination(remote_server_crit);
};
log {
source(local);
filter(f_logs_err);
destination(remote_server_err);
};
log {
source(local);
filter(f_logs_warning);
destination(remote_server_warning);
};
log {
source(local);
filter(f_logs_notice);
destination(remote_server_notice);
};"'

This configuration with the use of a priority number (The number inside <>), to replace the priority on ALL syslog messages sent out. Using the settings above will send syslog messages at level "notice" (and below) to facility local6 on the remote server.

This priority number can be calculated using the following formula:

(numeric value of facility) * 8 + (numeric value of severity)

The numeric vaules are listed in the tables below.

Table 1. syslog Message Facilities
Numerical Code Facility
0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
10 security/authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16 local use 0 (local0)
17 local use 1 (local1)
18 local use 2 (local2)
19 local use 3 (local3)
20 local use 4 (local4)
21 local use 5 (local5)
22 local use 6 (local6)
23 local use 7 (local7)


Table 2. syslog Message Severities
Numerical Code Severity
0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages


External links