Forum Discussion
krishans_52349
Nimbostratus
NimbostratusConfigure syslog server in F5 with an irule to see actual internet IP in syslog server
Hi,
we are using Big IP 3900 version 10.2 , We had network topolgy in this way that we need to enable SNAT as AutoMap , For this reason we are not been able to see the actual Internet IP / Client IP , in the servers .
We want configure an irule in such a way that it will log the actual Internet/Client IP and send it to the syslog server . For that should we need to configure syslog server in F5 , or it can be configured or forward through irule itself.
Our mail Aim is to see only the Actual Internet/Client IP.
Please help
Thanks in Advance for the help
22 Replies
- It depends on what you're trying to log. If all you want is the client /pool info, then the three SERVER_CONNECTED lines should be just fine.
Colin 
krishans_52349
Hi Colin ,
one more query , my syslog server 192.168.x.x is place in management interface of F5 , is it possible to route the traffic of 192.168.x.x should go through management interface , i am talking about the traffic which is triggered by this irule to send logs to syslog server.
Thanks in Advance- Ahh, that's a bit of an issue actually. Your iRule won't be able to send traffic out the management port. That'd be a heinous security risk. You'll need to make sure the syslog server you want to send traffic to is routable from a non management interface on the system.
Colin - Chris_Miller
Altostratus
You can read about management interface routing here. It's a very powerful tool, I use it constantly.
http://support.f5.com/kb/en-us/solutions/public/3000/600/sol3669.html?sr=12342274This is an interesting situation though since the traffic is being handled by TMM. Any thoughts guys?
- I guess I'd have to try it out, but my understanding is (always has been) that you can't traverse from TMM to management for good reason. The article you linked says:
"Traffic sourced from a TMM (self IP) address will always use the most specific matching TMM route. Traffic sourced from a TMM address will never use a management route."
That's how I've always understood it.
Colin - krishans_52349Hi Collin ,
could you suggest some options , for the traffic of syslog to send to management interface ,
Like should i configure syslog with LTM configuration i.e through syslog-ng.conf or bigpipe syslog remote server x.x.x.x . and if yes , than what will be the syntax for irule.
or is there any other options available to log the client ip address along with node ip address . - Chris_MillerPosted By Colin Walker on 01/26/2011 07:21 AM
Ahh, that's a bit of an issue actually. Your iRule won't be able to send traffic out the management port. That'd be a heinous security risk. You'll need to make sure the syslog server you want to send traffic to is routable from a non management interface on the system.
Colin And this isn't limited to HSL, right? Any logs originating from iRule will not take mgmt routes? - It's considered one transaction because the TMM is the one dumping the log to the wire if you configure iRules to send the log directly. If you think about it that way, it makes total sense, I think.
If iRules is the one sending the log info, then TMM is the one truly doing the sending, not the "system", so no management interface. If you log to syslog and then allow it to process the log for external consumption, then it's truly outbound administrative via the system, and can therefore access the mgmt interface.
Colin - krishans_52349Hi Colin ,
So , i need to configure syslog with LTM configuration i.e through syslog-ng.conf or bigpipe syslog remote server x.x.x.x . ,
But what will be the syntax for irule then , could you please paste the syntax for me ,
and after configuring the syslog-ng.conf , i need to confugure below route right ?
bigpipe mgmt route netmask gateway - The iRule will be the exact same syntax minus the IP address:
when SERVER_CONNECTED { log local0.info "Client: [IP::client_addr], Pool member [IP::server_addr]:[TCP::server_port]" }
Colin
