Applies To:

Show Versions Show Versions

Manual Chapter: Logging
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

12 
Viewing and managing log messages is an important part of managing traffic on a network and maintaining a BIG-IP® system. Log messages inform you on a regular basis of the events that are happening on the system.
You can log events either locally on the BIG-IP system or remotely, using The BIG-IP systems high-speed logging mechanism. The recommended way to store logs is on a pool of remote logging servers.
For local logging, the high-speed logging mechanism stores the logs in either the Syslog or the MySQL database on the BIG-IP system, depending on a destination that you define. For remote logging, the high-speed logging mechanism sends log messages to a pool of logging servers that you define.
To configure and manage high-speed logging, log in to the BIG-IP Configuration utility, and on the Main tab, expand System, and click Logs.
If you previously configured the BIG-IP system to log messages locally using the Syslog utility or remotely using the Syslog-ng utility, you can continue doing so with your current logging configuration, without configuring high-speed logging.
Alternatively, however, you can configure local Syslog logging using the high-speed logging mechanism, which is the recommended Syslog configuration. By configuring Syslog using high-speed logging, you can easily switch logging utilities in the future as needs change, without having to perform significant re-configuration.
When you configure the high-speed logging mechanism, you can store the log messages either remotely on logging servers, or locally on the BIG-IP system.
Important: F5 Networks highly recommends that you store your log messages remotely and that you configure logging using the high-speed logging mechanism.
The way that you set up remote, high-speed logging is by first defining a pool of logging servers, and then creating an unformatted, remote high-speed log destination that references the pool. If you are using ArcSight, Splunk, or Remote Syslog logging servers that require a formatted destination, you can also create a formatted log destination for one of those server types. Once those objects are set up, you create a publisher and a custom logging profile pertaining to the type of message you want to log. You then assign the logging profile to a relevant virtual server, and the profile, in turn, references the publisher.
Figure 12.1 shows the BIG-IP objects that you configure for remote high-speed logging. The illustration shows the way that these objects reference one another from a configuration perspective.
Table 12.1 describes the logging objects shown in Figure 12.1.
A formatted log destination pertains to a specific type of remote logging server (ArcSight, Splunk, or Remote Syslog) and references an unformatted log destination.
A logging profile pertains to the type of events that you want to log. For example, for logging Protocol Security events, you create a Protocol Security logging profile. For Network Firewall events, you create a Network Firewall profile. A logging profile references a log publisher.
A log filter is a mechanism for setting minimum log levels for various system-level events. A log filter references a log publisher.
An LTM® virtual server or GTMTM listener
A virtual server or listener listens for the type of traffic for which you want to log messages. If you have created a logging profile, you assign the profile to the virtual server or listener.
For an example of configuring remote, high-speed logging, suppose you want to send all Protocol Security messages to a group of remote ArcSight servers. In this case, you would create:
A Protocol Security logging profile that references the publisher.An LTM virtual server or GTM listener that references the logging profile and the load balancing pool.An unformatted Remote High-Speed Log destination that references the pool of ArcSight logging servers.
Tip: For step-by-step information on configuring basic remote high-speed logging, see the guide BIG-IP® TMOS®: Implementations on the AskF5TM web site http://support.f5.com.
Although local logging is not recommended, you can store log messages locally on the BIG-IP system instead of remotely. In this case, you can still use the high-speed logging mechanism to store and view log messages locally on the BIG-IP system.
When you use the high-speed logging mechanism to configure local logging, the system stores the log messages in either the local Syslog data base or the local MySQL data base. The storage database that the BIG-IP system chooses depends on the specific log destination you assign to the publisher:
local-syslog
Causes the system to store log messages in the local Syslog database. When you choose this log destination, the BIG-IP Configuration utility displays the log messages in these categories: System, Local Traffic, Global Traffic, and Audit.
local-db
Causes the system to store log messages in the local MySQL database. When you choose local-db, the BIG-IP Configuration utility does not display the log messages.
For each type of system-level process, such as bigdb configuration events or events related to HTTP compression, you can set a minimum log level. The minimum log level indicates the minimum severity level at which the BIG-IP system logs that type of event. There are many different types of local traffic or global traffic events for which you can set a minimum log level.
For example, if you set the minimum log level for bigdb events to Error, then the system only logs messages that have a severity of Error or higher for those events.
You set minimum log levels by creating a custom log filter. On the Main tab, expand System, and then click Logs, Configuration, and Log Filters.
If you are using the Syslog utility for local logging, whether or not you are using the high-speed logging mechanism, you can view and manage the log messages, using the BIG-IP Configuration utility.
The local Syslog logs that the BIG-IP system can generate include several types of information. For example, some logs show a timestamp, host name, and service for each event. Moreover, logs sometimes include a status code, while the audit log shows a user name and a transaction ID corresponding to each configuration change. All logs contain a 1-line description of each event.
Table 12.2 lists the categories of information contained in the logs and the specific logs in which the information is displayed.
System
Packet Filter
Local Traffic
Audit
The host name of the system that logged the event message. Because this is typically the host name of the local machine, the appearance of a remote host name could be of interest.
System
Packet Filter
Local Traffic
System
Packet Filter
Local Traffic
The status code associated with the event. Note that only events logged by BIG-IP system components, and not Linux system services, have status codes.
Packet Filter
Local Traffic
System
Packet Filter
Local Traffic
To view system, packet filter, local traffic, global traffic, and audit messages, on the Main tab, expand System, and click Logs. Then on the menu bar, click the appropriate menu.
For local log messages that the BIG-IP system stores in the local Syslog data base, the BIG-IP system automatically stores and displays log messages in these categories:
Each type of event is stored locally in a separate log file, and the information stored in each log file varies depending on the event type. All log files for these event types are in the directory /var/log.
Using the Configuration utility, you can display these local system messages. Table 12.3 shows some sample system log entries.
Some of the events that the BIG-IP system logs are related to packet filtering. The system logs the messages for these events in the file /var/log/pktfilter.
Many of the events that the BIG-IP system logs are related to local area traffic passing through the BIG-IP system. The BIG-IP system logs the messages for these events in the file /var/log/ltm.
Audit logging is an optional feature that logs messages whenever a BIG-IP system object, such as a virtual server or a load balancing pool, is configured (that is, created, modified, or deleted).
Using the Configuration utility, you can display audit log messages. Table 12.5 shows a sample audit log entry. This example shows that user janet enabled the audit logging feature.
DB_VARIABLE modified:
name="config.auditing"
The BIG-IP system log messages contain codes that provide information about the system. You can run the Linux zcat command at the system prompt to expand the codes in log messages to provide more information. In Figure 12.2, the bold text is the expansion of the log code 012c0012.
Jun 14 14:28:03 sccp bcm56xxd [ 226 ] : 012c0012 : (Product=BIGIP Subset=BCM565XXD) : 6: 4.1 rx [ OK 171009 Bad 0 ] tx [ OK 171014 Bad 0 ]
At the BIG-IP system prompt, type the Linux zcat command, using this syntax:
You can view log files for a specific range of dates. To do this, you use the show log command within the sys module of the Traffic Management shell (tmsh). For more information, see the Traffic Management Shell (tmsh) Reference Guide.
You can view the command audit log by date range, using the Traffic Management shell (tmsh). For more information, see the Traffic Management Shell (tmsh) Reference Guide.
By supplying a text string, you can filter the local log messages to suit your needs. To filter system, packet filter, local traffic, global traffic, and audit messages, on the Main tab, expand System, and click Logs. Then on the menu bar, click the appropriate menu, and in the Search box (directly above the Timestamp column), type a string, optionally using the asterisk as a wildcard character. The click Search.
You can view the contents of the audit log, or you can search an audit log based on user name, time period, or specific content. On the Main tab, expand System, click Logs, and on the menu bar, click Audit.
Using the Configuration utility, you can configure the level of access that a user has to the local logs that the Syslog utility generates. You can control a users access to the logs by setting the users user role to either Allow or Deny. To set user access, on the Main tab, expand System, and then click Logs, Configuration, and Options.
An optional type of logging that you can enable is audit logging. Audit logging logs messages that pertain to configuration changes that users or services make to the BIG-IP system configuration. This type of audit logging is known as MCP audit logging. Optionally, you can set up audit logging for any tmsh commands that users type on the command line.
For both MCP and tmsh audit logging, you can choose a log level. In this case, the log levels do not affect the severity of the log messages; instead, they affect the initiator of the audit event.
Disable
This turns audit logging off. This is the default value.
Enable
This causes the system to log messages for user-initiated configuration changes only.
Verbose
This causes the system to log messages for user-initiated configuration changes and any loading of configuration data.
Debug
This causes the system to log messages for all user-initiated and system-initiated configuration changes.
The log levels for tmsh logging are:
Disable
This turns audit logging off. This is the default value.
Enable
This causes the system to log messages for user-initiated configuration changes only.
If you want to configure remote logging using Syslog-ng, you do not use the high-speed logging mechanism. Configuration of remote logging using Syslog-ng has some key differences compared to a remote, high-speed logging configuration:
Instead of creating a pool of remote logging servers (as you do with high-speed logging), you specify the IP addresses of the servers using the Remote Logging screen of the BIG-IP Configuration utility.

To do this, expand System, and click Logs, Configuration, and Remote Logging.
If you want to ensure that the Syslog-ng messages being logged remotely are encrypted, you must first establish a secure tunnel. For more information, see Appendix A, Encrypting Remotely-stored Log Messages.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)