AnsweredAssumed Answered

F5 BigIP syslog is discover as rlinux device.

Question asked by safecharge on May 4, 2015



I have created an Irule in my F5 BigIP LTM to send information to SA.


I also, configure a new header & message information using the "RSA enVision EventSource Integrator" software.


When using the RSA enVision EventSource software, i am able to parse all the syslogs that are comming from the F5.

But I notice that after copy the new bigipmsg.xml file to SA, i am still unable to see the parse data.


After investigating the issue, i notice that the Syslog is parsed as rlinux device and that is why i am unable to see the parse data (it has no parser for it in the rlinuxmsg.xml file)


I am guessing that the rlinux parser come first in the parsing and because of that SA stop the parsing and not parsing the Syslog as BigIP.


Is there a way to make sure the bigip parser will be "first in line" ? First try parsing it as bigip and only if that fails, try the rlinux parser.

If not, is there any way to tell SA rlinux parser never to parse a syslog that contain some special unique string ?