Skip to content

Instantly share code, notes, and snippets.

@meznak
Created Apr 12, 2019
Embed
What would you like to do?
F5 DOS config file for syslog-ng
#############################################################################
### F5 DOS
############################################################################
### Sources
# Multiple sources means using multiple threads, so split them up as much
# as possible!
# Don't specify an IP so we listen on all.
# Tuning: https://codeascraft.com/2012/08/13/performance-tuning-syslog-ng/
# log-fetch-limit = number of lines from source in a "chunk"
# log-iw-size = max-connections * log-fetch-limit
# log-fifo-size = log-iw-size * 20 (set globally above)
#
source s_udp5432_F5 {
# Default protocol is TCP, so specify UDP
network(port(5432) transport("udp") max-connections(500) log-fetch-limit(1000) log-iw-size(100000) flags(assume-utf8, syslog-protocol));
};
############################################################################
### Filters
# filters for F5 types
# This makes sure no LB pings are in the directory
filter f_F5_AFM { host("*f5*" type(glob) flags("ignore-case"))};
# AFM logtype filtering
filter f_F5_ipint { match("asu-ip-intelligence" value("MESSAGE")) };
filter f_F5_afmevent { match("[A-Z][A-Z]\/[^\"]+" value("MESSAGE")) };
#############################################################################
### Rewrites
#
rewrite r_F5_trim {
subst("/Common/", "", value("MESSAGE") type ("pcre") flags("global"));
# CIM allows allowed, blocked, dropped, unknown
#subst("Accept", "allowed", value("MESSAGE") type ("pcre") flags("global"));
#subst("Drop", "dropped", value("MESSAGE") type ("pcre") flags("global"));
#subst("?", "blocked", value("MESSAGE") type ("pcre") flags("global"));
#subst("?", "unknown", value("MESSAGE") type ("pcre") flags("global"));
};
#############################################################################
### Destinations
#
# AFM Destinations
destination d_F5_ipint {
file("/syslog/F5/${HOST}/`LOGHOST`.ipint.${YEAR}${MONTH}${DAY}-$HOUR-$(/ $MIN 15)");
};
destination d_F5_afmevent {
file("/syslog/F5/${HOST}/`LOGHOST`.afmevent.${YEAR}${MONTH}${DAY}-$HOUR");
};
destination d_F5_dosprotect {
file("/syslog/F5/${HOST}/`LOGHOST`.dosprotect.${YEAR}${MONTH}${DAY}-$HOUR");
};
destination d_F5_unknown {
file("/syslog/F5/${HOST}/`LOGHOST`.unknown.${YEAR}${MONTH}${DAY}-$HOUR");
};
#############################################################################
### Logging
#
# Multiple log destinations means multi-threading!
# Log F5 DDOS Appliances
log {
source (s_udp5432_F5);
# Remember these are ANDs
filter (f_F5_ipint);
filter (f_F5_AFM);
rewrite (r_F5_trim);
destination(d_F5_ipint);
flags(final);
};
log {
source (s_udp5432_F5);
# Remember these are ANDs
filter (f_F5_afmevent);
filter (f_F5_AFM);
rewrite (r_F5_trim);
destination(d_F5_afmevent);
flags(final);
};
log {
source (s_udp5432_F5);
filter (f_F5_AFM);
rewrite (r_F5_trim);
destination(d_F5_dosprotect);
flags(final);
};
log {
source (s_udp5432_F5);
rewrite (r_F5_trim);
destination(d_F5_unknown);
flags(final);
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment