Forum Discussion
CirrostratusBIG-IP 11.4 LTM - Connection logging
Hi to all,
I have a few questions regarding session and connection logging at BIG-IP LTM v11.4.
How can I see current connections on LTM system including SNAT translations (Original source IP and port), connections torward server etc.
Also is there any way to send this informations to remote server (over syslog, SNMP etc.)?
Best regards, Mate Grbavac
9 Replies
- nitass
Employee
How can I see current connections on LTM system including SNAT translations (Original source IP and port), connections torward server etc.
have you tried "tmsh show sys connection all-properties"?
Also is there any way to send this informations to remote server (over syslog, SNMP etc.)?
you can get ip and port using IP::local_addr, IP::remote_addr, TCP::local_port, TCP::remote_port and send it using high speed logging.
high speed logging
https://devcentral.f5.com/wiki/irules.HSL.ashx 
Mate_132781Thank you for response.
I configured HSL, Request Logging profile and associate prifile with virtal server.
In Template field i wrote down CLIENT_IP,CLIENT_PORT;SNAT_IP,SNAT_PORT, but in syslog I got just theese text, not real values (IP addresses and ports).
Is there any special syntax for configuring template under Request Logging?
Mui_64918Cirrus
Was there any performance impact ? did you measure the latency due to HSL logging?
- Mate_132781
For now I didn't see any performace problem, but system is not in full production yet.
In the meantime, I found correct syntax for Request Logging, "$" sign must be used, for example: $CLIENT_IP,$CLIENT_PORT;$SNAT_IP,$SNAT_PORT
Now I have another problem... :-)
If I use template $CLIENT_IP,$CLIENT_PORT;$SNAT_IP,$SNAT_PORT I see correct informations, but if i add date and time before ($DATE_NCSA,$CLIENT_IP,$CLIENT_PORT;$SNAT_IP,$SNAT_PORT) syslog information is cutted like in picture below (you can see date, time, source IP and port and part od SNAT IP and no SNAT port:
Is it possible to send all informations, without cutting and put sometnihg in place of "unknown"?
- nitass
but if i add date and time before ($DATE_NCSA,$CLIENT_IP,$CLIENT_PORT;$SNAT_IP,$SNAT_PORT) syslog information is cutted like in picture below (you can see date, time, source IP and port and part od SNAT IP and no SNAT port
what tcpdump command did you use? was -s0 included?
have you checked log in syslog server? i think log in syslog may be complete.
Tabish_Mirza_12Nimbostratus
Hello Folks,
I have same requirement. We want to forward connection session information to syslog server. Could you please help me to achieve this. I want to know the steps required for this.
Please.
Thanks
- Mate_132781
Hello guys,
antoher question regarding logging.
We are doing some TCP optimization and we'd need to log connections.
O.K., it's not problem with SRC & DST IP and PORT, but we also need:
IP Protocol ID
duration of session
amount of uploaded data per connection
amount of downloaded data per connection
I looked at Configuring Request Logging, but didn't find any of those.
Is this even possible just with TCP profile on BIG-IP?
BR, Mate
seemetomorrow_2Any update on this?
- DVP_309408
Need this
