Forum Discussion

TimRiker's avatar
TimRiker
Icon for Cirrocumulus rankCirrocumulus
Sep 10, 2024

BIG-IP syslog include

BIG-IP remote syslog with short names, iso dates, and milli/microseconds

It looks like syslog-ng is broken on a number of BIG-IP releases. Using use_fqdn(no) still gets fqdns in the logs. This looks to have been broken here:

https://cdn.f5.com/product/bugtracker/ID998649.html

Our work around is to add a rewrite filter that removes the domain name. Login, run tmsh, command "edit sys syslog" and enter the below. You probably want to clear any remote syslog setup in the UI first.

sys syslog {
    include "
# short hostnames
options {
    frac_digits(6);
    keep_hostname(no);
    use_fqdn(no);
};
# F5 use-fqdn is broken in
# https://cdn.f5.com/product/bugtracker/ID998649.html
# so replace '\\.*' with ''
rewrite r_domain {
    subst(\"\\\\..*\", \"\", value(\"HOST\"));
};
# Remote syslog in RFC5424 - Tim Riker <Tim@Rikers.org>
destination d_remote_loghost {
    # put your syslog IP here in place of the 0.0.0.0
    syslog(0.0.0.0 port(514));
};
log {
    source(s_syslog_pipe);
    rewrite(r_domain);
    destination(d_remote_loghost);
};
"
}

Note: this output does NOT appear to be RFC5424 compliant. For example system output includes a priority field following the hostname, where rfc5424 does not include that in it's spec.

devops
  • TimRiker's avatar
    TimRiker
    Icon for Cirrocumulus rankCirrocumulus
    Sep 11, 2024

    I'm happy to have this exposed as "Solution". Perhaps with a shorter title.😀I edited the original.

    I updated it with frac_digits(6); to get microseconds as the logger seems to support that.

    Output from F5s does NOT appear to be RFC5424 compliant with this change. For example, I see an ascii level indicator which rfc5424 does not include. I'm looking into further validation.

    The F5s should really have built in support to log in rfc5424 with short names, timezone and milli/microsecond information. Supporting only fqdn and only rfc3164 is pretty lame in this day and age.

    There are a few F5 KB articles that recommend adding udp() to syslog include. udp() has been deprecated for a long time now. Any KB references that include that should be updated.

    BIG-IP 15.1.10.3 includes syslog-ng 3.8.1 which no longer has reliable online documentation that I can find. If F5 is going to continue to ship this old version, they should at least post the documentation online. syslog-ng 3.8.1 shipped on Aug 19, 2016:

    https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.8.1

    • LiefZimmerman's avatar
      LiefZimmerman
      Icon for Admin rankAdmin
      Sep 12, 2024

      Unfortunately, for now, I can't see to mark multiple items as Solution.
      When I can I will do so for this comment as well.

      Thanks again Tim - very helpful.

  • LiefZimmerman's avatar
    LiefZimmerman
    Icon for Admin rankAdmin
    Sep 10, 2024

    TimRiker - A) this is amazing.
    B) I've asked our support-based moderators to take a look and see if we might cross-link your workaround into other places through support.
    C) If you agree - I think it would be right to push this into the codeshare node as a "Solution" to the problem.

    I can take care of that for you if you like.
    Lief

  • Jmtaylor's avatar
    Jmtaylor
    Icon for Moderator rankModerator
    Sep 11, 2024

    TimRiker   Hello Tim, thank you for this proposed solution we are working to validate it on across multiple platforms and get it published on public site.  Thank you for your continued support. 

  • LiefZimmerman's avatar
    LiefZimmerman
    Icon for Admin rankAdmin
    Sep 12, 2024

    TimRiker - given that Jmtaylor was able to push this over into an actual Knowledge article (officially F5 supported) solution I'm less concerned with where it lives in DevCentral now. As long as it's discoverable.


    I will mark a comment as the solution so that it gets that deserved lift as well.

    Thanks JMTaylor and HUGE thanks to you Tim for sharing this with the F5 Community.