Jump to content

No F5 audit logs in Splunk

Cowboy Denny

Recommended Posts

Here is a suggestion I may try

Just configure (/Common)(tmos.sys) edit /sys syslog all-properties

Go to the line that says "include none" and replace that line with:

include " destination remote_server { udp(\"IP-OF-SYSLOG-SERVER\" port (514)); }; filter f_ltm { facility(local0) and level(emerg..info); }; log { source(local); filter(f_ltm); destination(remote_server); }; "

If I do a tmsh list /sys syslog all-properties I get this before making the above change

[root@usmifnt01:/S1-green-P::Active:In Sync] log # tmsh list /sys syslog all-properties
sys syslog {
    auth-priv-from notice
    auth-priv-to emerg
    clustered-host-slot enabled
    clustered-message-slot disabled
    console-log enabled
    cron-from warning
    cron-to emerg
    daemon-from notice
    daemon-to emerg
    description none
    include "filter f_local0 {facility(local0) and not match(\"user=svc_f5_splunk_d, method=\");};"
    iso-date disabled
    kern-from debug
    kern-to emerg
    local6-from notice
    local6-to emerg
    mail-from notice
    mail-to emerg
    messages-from notice
    messages-to warning
    remote-servers none
    user-log-from notice
    user-log-to emerg

I may try this change and see if it makes a difference

Link to comment
Share on other sites

  • Create New...