扫盲计划之：log&syslog

GUI下的log显示有：

system---------->/var/log/messages

packer filter ------------->/var/log/pktfilter

Local traffic-------------->/var/log/ltm

audit----------------->/var/log/audit

打开GUI下的审计需要打开MCP审计功能并确保MCP的日志级别不高于notice

打开b 命令的审计则需打开bigpipe的审计

在/var/log 下其实还有很多其他日志文件

------------------------------------------------------

使用logtool可以快速的在所有日志中查找感兴趣的日志，使用方法如下

[root@v10-1:Active] log # logtool --help
Unknown option: help
Usage: /usr/bin/logtool [options] ["<SearchString>"]
Options:
--filename:    Append the log file name to the message
--level=LEVEL: Search for messages at a level
--system=NAME: Search for messages from a system
--slot=NUMBER: Search for messages from a slot
--zipped:      Search for messages in compressed log files

注意searchstring是区分大小写的。

----------------------------------------

在命令行下查看日志时候可以通过增加 bigcodes 管道来解析F5一些专用的抽象代码,例如

cat /var/log/ltm | bigcodes |less

----------------------------------------

resize-logFS 可以用来resize 给/var/log预分配的固定空间，默认是7G，可配区间是1-10G

--------------------

配置syslog-ng将log发送到远程syslog服务器

9.4.2之前手工编辑/etc/syslog-ng/syslog-ng.conf

9.4.2--9.4.6用 b命令配置syslog

9.4.2--9.4.6中用b syslog remote server 命令只能配置一个目标服务器，且不能指定协议，所以必须用b syslog include命令来配置(SOL8259)，但这个版本区间用b syslog include配置多个目标服务器又可能会在log中提示错误(SOL8549)，所有的问题都在V10中解决，v10中关于syslog的配置命令进行了增强。

9.4.2--9.4.6中b syslog include 配置方法：

bigpipe syslog include '"destination <dest_name> { <protocol>(\"<syslog_ip_address>\" port(<syslog_port>));};log { source(local); destination(<dest_name>);};"'

Replace <dest_name> with a unique name for the new log destination object, <protocol> with the desired transport protocol (UDP or TCP), <syslog_ip_address> with the IP address of the destination remote syslog server, and <syslog_port> with the port upon which the remote syslog service is listening. The tuple of <protocol>(\"<syslog_ip_address>\" port (<syslog_port>)) may be repeated as necessary, separated by semicolons, to configure multiple destinations.

For example, the following bigpipe syslog include command adds a remote UDP syslog server with the IP address of 10.0.0.1:

bigpipe syslog include '"destination d_udp { udp(\"10.0.0.1\" port(514));};log { source(local); destination(d_udp);};"'

The following bigpipe syslog include command adds two remote TCP syslog servers:

bigpipe syslog include '"destination d_tcp { tcp(\"10.0.0.1\" port(1468)); tcp(\"10.0.0.2\" port(1468));};log { source(local); destination(d_tcp);};"'

V10后使用 b syslog remote server配置方法：

• Adding a single remote server:

bigpipe syslog remote server {<name> {host <addr_or_hostname>}}

• Adding multiple remote servers:

bigpipe syslog remote server {<name1> {host <addr_or_hostname>} <name2> {host <addr_or_hostname>} ... }

• Deleting a single remote server:bigpipe syslog remote server <name> delete
• Deleting multiple remote servers:bigpipe syslog remote server {<name1> <name2> ... } delete
• Deleting all remote servers:bigpipe syslog remote server none

配置举例V10：

b syslog remote server server1 host 192.168.192.90 server2 host 192.168.192.91

加完后,做一下b save,然后www.myf5.net在bigip_sys.conf下可以看到：

syslog {
remote server {
server1 {
host 192.168.192.90
}
server2 {
host 192.168.192.91
}
}
}

最终在syslog-ng.conf中表示如下：

# Log to a remote host
destination d_loghost {
udp("192.168.192.90" port(514));
udp("192.168.192.91" port(514));
};

log {
source(s_syslog_pipe);
destination(d_loghost);
};

指定syslog服务器端口：

b syslog remote server server1 remote port 5114

b save

在bigip_sys.conf效果如下：

syslog {
remote server {
server1 {
host 192.168.192.90
remote port 5114
}
server2 {
host 192.168.192.91
}
}
}

指定syslog服务器协议：

就得用include方法了。。。

------------------------

注意点：

v9中log 的source是 source(local),v10中改为 source(s_syslog_pipe)

如果遇到syslog服务器关于包大小处理问题，在V944版本之后，通过一个db值可以调整

bigpipe db Tmm.MaxRemoteLogLength <size>

------------------------

缺省情况下，F5根据路由情况来决定syslog发出的包的源地址，TMM缺省路由是优先于MGMT缺省路由的，这一点需特别注意。如果遇到包从不期望的接口发出去，那么需要考虑调整路由，一般来说定义关于syslog服务器的明细路由能比较有效的控制，例如可以定义明细路由从管理口的下一跳出去，这样包的源地址就是MGMT口的地址了。

如果需要绑定一个地址作为包的源地址，可以参考如下配置：

b syslog remote server server1 local ip 172.24.111.111

# Log to a remote host
destination d_loghost {
udp("192.168.192.90" port(514) localip(172.24.111.111));
};

log {
source(s_syslog_pipe);
destination(d_loghost);
};

如果绑定的IP有问题，会导致日志无法发出，可能重启syslog-ng都不会显示有问题，但此时在/var/log/boot.log里会看到相关错误：

Aug 16 23:44:25 local/v10-1 notice syslog-ng: Error binding socket; addr='AF_INET(172.24.111.111:0)', error='Cannot assign requested address (99)'
Aug 16 23:44:25 local/v10-1 notice syslog-ng: Initiating connection failed, reconnecting; time_reopen='60'
Aug 16 23:44:25 local/v10-1 notice syslog-ng: syslog-ng startup succeeded

b syslog remote server server1 local ip none 可以清除掉之前的绑定，要绑定的IP必须是F5上已经存在的IP

绑定IP 并不能因此影响包从TMM还是从MGMT发出，例如绑定TMM上的地址，但路由依然是从MGMT走，则此时的包是以TMM的地址作为SRC IP 并从MGMT口出去，这一点需要注意。

另外用local 参数指定的IP 实际存储在/etc/confpp.dat里，该文件并不会保存在ucs中，因为用ucs恢复系统后，该配置会丢失 (v10.2.2之后，include方式配置的内容将被存储在bigip_base.conf, 不再存储在bigip_sys.conf里， 我晕)

[root@v10-1:Active] log # b syslog remote server list
syslog {
remote server server1 {
host 192.168.192.90
local ip 10.17.0.254
remote port 514
}
}

不想让log存到F5本地 怎么办：

（能不要这么做就不要这么做），必须做的话，步骤如下

1. mount -o remount,rw /usr

2.pico /usr/share/defaults/config/templates/syslog.tmpl

3.例如将boot.log的日志不写到文件，只发送给syslog server

#destination d_boot {
#   file("/var/log/boot.log" create_dirs(yes));
#};
#edit for testing
destination d_boot {
udp("192.168.192.90" port(514));
};

4.mount -o rmoute,ro /usr

5.bigstart restart syslog-ng

------------------------------------

定义指定的log到syslog：

使用include定义filter，例如发送tamd产生的日志到指定的服务器：

bigpipe syslog include '"destination d_udp_tamd { udp(\"10.0.0.1\" port(514)); udp(\"10.0.0.2\" port(514));};filter f_tamd { program(tamd) ;};log { source(s_syslog_pipe);filter (f_tamd);destination(d_udp_tamd);};"'

此命令等同于直接在配置文件中增加include内容，所以可以参考syslog-ng的配置语法灵活定义

----------------

logsave ：

NAME
logsave - save the output of a command in a logfile

SYNOPSIS
logsave [ -asv ] logfile cmd_prog [ ... ]

DESCRIPTION
The logsave program will execute cmd_prog with the specified argument(s), and save a copy of its output to log-
file.  If the containing directory for logfile does not exist, logsave will accumulate  the  output  in  memory
until it can be written out.  A copy of the output will also be written to standard output.

If  cmd_prog  is  a  single hyphen ('-'), then instead of executing a program, logsave will take its input from
standard input and save it in logfile

logsave is useful for saving the output of initial boot scripts until the /var partition  is  mounted,  so  the
output can be written to /var/log.

OPTIONS
-a     This  option will cause the output to be appended to logfile, instead of replacing its current contents.

-s     This option will cause logsave to skip writing to the log file text which is bracketed with a  control-A
(ASCII  001  or  Start  of Header) and control-B (ASCII 002 or Start of Text).  This allows progress bar
information to be visible to the user on the console, while not being written to the log file.

-v     This option will make logsave to be more verbose in its output to the user.