Bug ID 849085: Lines with only asterisks filling message and user.log file

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5

Fixed In:
16.0.0, 15.1.1, 14.1.3.1

Opened: Nov 12, 2019

Severity: 5-Cosmetic

Symptoms

/var/log/message and /var/log/user.log files have lines that only contain asterisks. For example: Nov 12 10:40:57 bigip1 **********************************************

Impact

The impact is cosmetic only, however it could make reading the logs more difficult if the sflow snmp tables are constantly being queried.

Conditions

Snmp query an OID handled by sflow, for example: snmpwalk -v2c -c public localhost SNMPv2-SMI::enterprises.14706.1.1.1

Workaround

You have two options: -- Filter out all sflow_agent log messages -- Filter out all messages that contain a newline '\n' or carriage return character '\r'. Both workarounds are done by editing the syslog template, this means that if the you upgrades, you must edit the template again to reinstate the workaround. ============================================= Solution #1 - Filter out all sflow_agent logs: 1) remount /usr as read+write: mount -o rw,remount /usr 2) Make a backup copy of the template: cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig 3) Add write permissions to the template: chmod +w /usr/share/defaults/config/templates/syslog.tmpl 4) Add the filter to syslog.tmpl 4a) Open syslog.tmpl for edit: vi /usr/share/defaults/config/templates/syslog.tmpl 4b) Add the new filter after the filter f_messages: filter f_not_sflow { not match ("sflow_agent" value("$PROGRAM")); }; For example: filter f_messages { level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO) and not facility(auth, authpriv, cron, daemon, mail, news) and not message("WA"); }; filter f_not_sflow { not match ("sflow_agent" value("$PROGRAM")); }; 4c) Add the filter to the log that sends all source local message to the syslog pipe: log { source(local); filter(f_not_sflow); destination(d_syslog_pipe); } 5) Save the changes and quit vi. 6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice': tmsh modify /sys syslog daemon-from info tmsh modify /sys syslog daemon-from notice 7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf. 8) remount /usr as read-only mount -o ro,remount /usr ============================================= Solution #2 - Filter out all messages with \n or \r: 1) remount /usr as r+w: mount -o rw,remount /usr 2) Make a backup copy of the template: cp /usr/share/defaults/config/templates/syslog.tmpl /usr/share/defaults/config/templates/syslog.tmpl.orig 3) Add write permissions to the template: chmod +w /usr/share/defaults/config/templates/syslog.tmpl 4) Add the filter to syslog.tmpl: 4a) Open syslog.tmpl for edit: vi /usr/share/defaults/config/templates/syslog.tmpl 4b) Add the new filter after the filter f_messages: filter f_no_multi_line { not (message('\n') or message('\r')); }; For example: filter f_messages { level(UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESFROM..UNIX_CONFIG_SYSLOG_REPLACE_MESSAGESTO) and not facility(auth, authpriv, cron, daemon, mail, news) and not message("WA"); }; filter f_no_multi_line { not (message('\n') or message('\r')); }; 4c) Add the filter to the log that sends all source local message to the syslog pipe: log { source(local); filter(f_no_multi_line); destination(d_syslog_pipe); } 5) Save the changes and quit vi. 6) In order for the BIG-IP system to write out the syslog conf with the modified template, you must change the syslog configuration. To do so, use tmsh to modify the 'daemon-from' to 'info' and then back to the default of 'notice': tmsh modify /sys syslog daemon-from info tmsh modify /sys syslog daemon-from notice 7) Ensure the changes were written to /etc/syslog-ng/syslog-ng.conf. 8) remount /usr as read-only: mount -o ro,remount /usr

Fix Information

The sflow log message that was a multiline message has been changed so that it is no longer multiline.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips