Forum Discussion
BIG-IP / Virtual Server for UDP & TCP DNS Loadbalancing / extracting client IPs
- Apr 26, 2023
Have you tried using this guide to send HSL via the management interface?
K50040950: Configuring the BIG-IP system to send high-speed logs through the management interface
Hi,
I'm not sure about the partition part. However, I labbed this (all objects in the /Common partition) and it tested fine:
1) Create HSL management-port destination
create sys log-config destination management-port HSL-MGMT-DESTINATION ip-address <SYSLOG DST IP> port 514 protocol udp
2) Create HSL publisher referencing management-port destination
create sys log-config publisher management-port-pub destinations add { HSL-MGMT-DESTINATION }
3) Create DNS logging iRule
ltm rule IRULE-SYSLOG-MGMT {
when CLIENT_ACCEPTED {
binary scan [UDP::payload] H4@12A*@12H* id dname question
set dname [string tolower [getfield $dname \x00 1 ] ]
# logs locally only
#log local0. "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
# high speed logging
set hsl [HSL::open -publisher /Common/management-port-pub]
HSL::send $hsl "dns_src_ip=[IP::client_addr] requested dns_query=$dname"
}
}
4) Create pool
create ltm pool <POOL NAME> members add { <POOL MEMBER IP>:53 }
5) Create UDP/53 virtual server
create ltm virtual <VS NAME> destination <VIP>:53 pool <POOL NAME> profiles add { udp } source-address-translation { type automap } rules { IRULE-SYSLOG-MGMT }
===============
// VERIFICATION
===============
# tcpdump on F5 MGMT interface for UDP syslog traffic
[root@bigip-1:Active:In Sync] config # tcpdump -i mgmt -nn -c 100 -A "udp port 514"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on mgmt, link-type EN10MB (Ethernet), capture size 65535 bytes
09:11:24.929974 IP <F5 MGMT IP>.39556 > <SYSLOG DST IP>.514: [|syslog]
E..S<.@.@...
...
..
.....?.Qdns_src_ip=<CLIENT IP> requested dns_query=.google.com
# Kiwi Sylog server entry showing client IP
04-28-2023 09:11:24 Local7.Debug <F5 MGMT IP> dns_src_ip=<CLIENT IP> requested dns_query=google.com
Hey Michael,
Thanks for labbing this. I had the configuration you posted in mind but dont't know why I didn't do it 😉 I will give it try.
I re-implemented my whole configuration for "HSL via mgmt" in the specific partition and it worked out! For me the topic is solved. Thanks a lot for your support, Michael_Saleem.
- Apr 28, 2023
Awesome. I'm glad that I could help 😊
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com