Applies To:

Show Versions Show Versions

sol12080: Configuring the source IP address for the syslog daemon
How-ToHow-To

Original Publication Date: 09/26/2010
Updated Date: 09/07/2012

You can specify the BIG-IP source IP address that syslog-ng uses when sending traffic to remote log servers. To do so, perform the following procedure:

  1. Log in to the BIG-IP command line.
  2. Replace the existing syslog server definitions with those that specify the source address by using one of the following two bigpipe syslog include commands:

    Note: You should type the following command in a single line; it has been separated into multiple lines for formatting purposes only.

    Note: The bigpipe syslog include command was introduced in BIG-IP version 9.4.2 for use with the single configuration file (SCF). For more information, refer to SOL8435: Overview of the single configuration file (SCF).

    • BIG-IP version 9.6.0 and later

      Note: You should issue the following command in one continuous line. It has been split into multiple lines for formatting purposes only.

      bigpipe syslog include '"filter f_remote_loghost { level(warn..emerg);}; destination d_remote_loghost {udp(\"<syslog_ip>\" port(514) localip(\"<local_ip>\"));};log {source(s_syslog_pipe);filter(f_remote_loghost);destination(d_remote_loghost);};"'

      Note: The syslog_pipe was introduced in BIG-IP version 9.6.0. It replaces the local source, allowing data to be streamed to syslog by way of the pipe instead of having to request the information from the mcpd process or TMM.

    • BIG-IP version 9.4.2 through 9.4.8

      Note: You should issue the following command in one continuous line. It has been split into multiple lines for formatting purposes only.

      bigpipe syslog include '"filter f_remote_loghost { level(warn..emerg);}; destination d_remote_loghost {udp(\"<syslog_ip>\" port(514) localip(\"<local_ip>\"));};log {source(local);filter(f_remote_loghost);destination(d_remote_loghost);};"'

      Replace <syslog_ip> with the IP address of the destination remote syslog server. The tuple of udp (\"<syslog_ip>\" port (514)) may be repeated as necessary, separated by semicolons, to configure multiple destinations. Replace <local_ip> with the source IP address you want the BIG-IP system to use for this syslog destination.

      For example, the following bigpipe syslog include command replaces the existing f_remote_loghost filter with a filter that specifies that messages matching the filter are sent to a remote UDP syslog server at 10.0.0.1 with a source IP address of 192.168.1.1:

      bigpipe syslog include '"filter f_remote_loghost { level(warn..emerg);}; destination d_remote_loghost {udp(\"10.0.0.1\" port(514) localip(\"192.168.1.1\"));log {source(s_syslog_pipe);filter(f_remote_loghost);destination(d_remote_loghost);};"'

      Important: The include command replaces any previously included data, so only the most recently applied data set is retained. To include multiple objects, you must construct a single include command using the previously-listed example syntax.

  3. Restart the syslog-ng service to initialize the new configuration by typing the following command:

    bigstart restart syslog-ng

    Note: Examine any console output for errors. A successful include operation will not produce any output to the console. (Benign errors may be observed in the /var/log/boot.log file as noted in SOL8549: Configuring an additional remote syslog server using the bigpipe syslog include command causes an error message. You can safely ignore these errors.)

  4. Save the configuration by typing the following command:

    bigpipe save all

If you want to remove the syslog include configuration, run the command bigpipe syslog include none.

Note: For information about routing issues that may affect syslog traffic, refer to SOL10239: Unsolicited management traffic may not use the intended management address or management routes.

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)