AnsweredAssumed Answered

F5 BigIP syslog is discover as rlinux device.

Question asked by safecharge on May 4, 2015

Hi,

 

I have created an Irule in my F5 BigIP LTM to send information to SA.

 

I also, configure a new header & message information using the "RSA enVision EventSource Integrator" software.

 

When using the RSA enVision EventSource software, i am able to parse all the syslogs that are comming from the F5.

But I notice that after copy the new bigipmsg.xml file to SA, i am still unable to see the parse data.

 

After investigating the issue, i notice that the Syslog is parsed as rlinux device and that is why i am unable to see the parse data (it has no parser for it in the rlinuxmsg.xml file)

 

I am guessing that the rlinux parser come first in the parsing and because of that SA stop the parsing and not parsing the Syslog as BigIP.

 

Is there a way to make sure the bigip parser will be "first in line" ? First try parsing it as bigip and only if that fails, try the rlinux parser.

If not, is there any way to tell SA rlinux parser never to parse a syslog that contain some special unique string ?

 

Thanks,

Outcomes