Forum Discussion
krishans_52349
Nimbostratus
NimbostratusConfigure syslog server in F5 with an irule to see actual internet IP in syslog server
Hi,
we are using Big IP 3900 version 10.2 , We had network topolgy in this way that we need to enable SNAT as AutoMap , For this reason we are not been able to see the actual Internet IP / Client IP , in the servers .
We want configure an irule in such a way that it will log the actual Internet/Client IP and send it to the syslog server . For that should we need to configure syslog server in F5 , or it can be configured or forward through irule itself.
Our mail Aim is to see only the Actual Internet/Client IP.
Please help
Thanks in Advance for the help
22 Replies
- Chris_Miller
Altostratus
Are you just using HTTP? If so, you can insert it in an X-Forwarded-For header and have your web server parse for that. Otherwise, you can use an iRule to log the client's ip address and send it to whatever logging facility you want. As long as your F5 box is configured to pass the data to the syslog server, that should be plenty easy. 
krishans_52349Hi Chris ,
Thanks , the issue if gor https / SSL traffic , for http we are using X-forwarded feature ,
Could you help me to use an iRule and the syntax for that so that we can log the client's ip address and send it to Syslog server .
We dont have syslog server configured yet.- Chris_MillerHere's a good doc on configuring syslog:
https://support.f5.com/kb/en-us/solutions/public/8000/200/sol8260.html
Here's a sample iRule:when CLIENT_ACCEPTED { log local0. "Client's IP Address was [IP::client_addr]" } - Chris_MillerHere's an absolutely perfect example for you:
http://devcentral.f5.com/wiki/default.aspx/iRules/LogHttpTcpUdpToSyslogng.html - krishans_52349Hi Chris ,
Can i use the syslog server ip address in the irule itself , without configuring the syslog sever separately.
I found this syntax in Devcentral only , Suppose our syslog server ip is 192.168.202.174
when CLIENT_ACCEPTED {
log 192.168.203.174 local0.info "Client Connected, IP: [IP::client_addr]"
}
when SERVER_CONNECTED {
log 192.168.203.174 local0.info "Client: [IP::client_addr], Pool member [IP::server_addr]:[TCP::server_port]"
}
Will this work to log client ip address along with node ip address in the syslog server , without configuring the syslog server through syslog-ng.conf or bigpipe syslog remote server x.x.x.x . - Yes, in 10.2 you should be able to log directly to your syslog server via the log command.
Colin 
hoolioCirrostratus
HSL in 10.1 and higher would be more efficient than the older log command. If you're on 9.4.0 - 10.0.x, you could use 'log -remote':
iRules Update: New options for the "log" command
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=190
Aaron- krishans_52349Hi ,
So will work and log directly to Syslog server 192.168.203.174 ( As an example ) without configuring the syslog-ng.conf or bigpipe syslog remote server x.x.x.x .
--------------------------------------------------------------------------------------
when CLIENT_ACCEPTED {
log 192.168.203.174 local0.info "Client Connected, IP: [IP::client_addr]"
}
when SERVER_CONNECTED {
log 192.168.203.174 local0.info "Client: [IP::client_addr], Pool member [IP::server_addr]:[TCP::server_port]"
}
--------------------------------------------------------------------------------------
And i need to apply this irule to each virtual server under resource tab.
Will this above for me . - The log statement actually uses the same HSL exit point on the LTM if you supply an IP address post 10.1, so log and HSL should be equally efficient, last I checked.
And yes, kirshans, that would log directly to that syslog server with no LTM configuration.
Colin - krishans_52349Hi Colin ,
I am Still unclear that , to achieve one log message that is sent to the syslog server 192.168.x.x , per connection , Should i configure these six line statement
--------------------------------------------------------------------------------------
when CLIENT_ACCEPTED {
log 192.168.203.174 local0.info "Client Connected, IP: [IP::client_addr]"
}
when SERVER_CONNECTED {
log 192.168.203.174 local0.info "Client: [IP::client_addr], Pool member [IP::server_addr]:[TCP::server_port]"
}
--------------------------------------------------------------------------------------
or should i configure these three line statements is enough , Could you please tell me the exact syntax to achieve my aim .
------------------------------------------------------------------------------------------------------------------------------------------------------
when SERVER_CONNECTED {
log 192.168.x.x local0.info "Client: [IP::client_addr], Pool member [IP::server_addr]:[TCP::server_port]"
}
------------------------------------------------------------------------------------------------------------------------------------------------------
