Forum Discussion
Rodrigo_Mori_13
Cirrus
CirrusConfiguring Syslog Server for a Specific Virtual Server
Hi, guys
I have an application in BIG IP, according to the image.
I need all the IPs that have accessed VS_APP1 to be registered on the syslog server.
Someone could help me set this up.
Thank you
Greetings,
I haven't used the virtual server's Request Logging profile much, but was able to create a profile that logs the source IP address of the connecting client:
In the Request profile Template section, I simply entered:
Client IP is: ${CLIENT_IP}
And it was sent to the remote syslog:
14:10:53.969588 IP 10.12.23.120.48392 > 10.12.23.27.514: [|syslog] 0x0000: 4500 0037 cb69 4000 ff11 6da1 0a0c 1778 E..7.i@...m....x 0x0010: 0a0c 171b bd08 0202 0023 7989 436c 6965 .........y.Clie 0x0020: 6e74 2049 5020 6973 3a20 3130 2e31 322e nt.IP.is:.10.12. 0x0030: 3235 302e 3133 30 250.130Hope this is useful!
Kevin
Greetings,
I haven't used the virtual server's Request Logging profile much, but was able to create a profile that logs the source IP address of the connecting client:
In the Request profile Template section, I simply entered:
Client IP is: ${CLIENT_IP}
And it was sent to the remote syslog:
14:10:53.969588 IP 10.12.23.120.48392 > 10.12.23.27.514: [|syslog] 0x0000: 4500 0037 cb69 4000 ff11 6da1 0a0c 1778 E..7.i@...m....x 0x0010: 0a0c 171b bd08 0202 0023 7989 436c 6965 .........y.Clie 0x0020: 6e74 2049 5020 6973 3a20 3130 2e31 322e nt.IP.is:.10.12. 0x0030: 3235 302e 3133 30 250.130Hope this is useful!
Kevin
Rodrigo_Mori_13In case, for me to send the log to the "Local 6" Syslog server, how can this be done?
Hi Rodrigo,
In researching, it seems local0 to local7 are reserved for local use. So a custom application running on the server can log to it's own file. There's probably some simple way to hack remote message using local facility, but I wasn't able to come up with one.The best I could do was add the following line to my rsyslog config:
if $fromhost-ip startswith '10.12.23.' then /var/log/local6.log
tail -f /var/log/local6.log
Oct 4 08:34:54 local6.notice Client IP is: 10.12.250.130
Hope this is somewhat helpful, let us know if you come up with something!
Thanks,
Kevin- Rodrigo_Mori_13
Hi, kevin
I configured the profile "request logging".
The problem I'm having is that on the production ssyslog (Linux) server the access information does not appear.
I installed a syslog program on my computer for testing (3CDaemon program) and in this case the access information appeared correctly.
It seems that BIG-IP forwards this information to a "user.info" facility, and this facility is what does not appear on the production syslog server.
You would have to see a way for this information to be routed to some "local (1-6) location on the production syslog server."
SnlCirrostratus
one more option is to use HSL irule for this , create pool name POOL_SYSLOG
refer below
POOL_SYSLOG-create a pool with syslog server ip address when HTTP_REQUEST { set http_request_time [clock clicks -milliseconds] set timestamp [clock format [clock seconds] -format {%d/%b/%Y:%H:%M:%S %z}] set remote [IP::remote_addr] set client [IP::client_addr]:[TCP::client_port] set url [HTTP::host][HTTP::uri] set referer [HTTP::header "Referer"] set vip [IP::local_addr]:[TCP::local_port] set httpMethod [HTTP::method] set httpVersion [HTTP::version] set xforwardfor [HTTP::header X-Forwarded-For] set url [string map " x" $url] set referer [string map " x" $referer] set hsl [HSL::open -proto UDP -pool POOL_SYSLOG] Limit the url variable to 300 characters if {[string length $url] > 300} { set url "[string range $url 0 300]..." } Limit the referer variable to 300 characters if {[string length $referer] > 300} { set referer "[string range $referer 0 300]..." } Build the Request log line set request_log_line " $timestamp [virtual name] $client $remote $vip $url $referer $httpMethod $httpVersion" log local0.info "Request - $request_log_line" } when HTTP_RESPONSE { VARIABLES Initialize local variables used in this rule set http_response_time [ clock clicks -milliseconds ] set client [IP::client_addr]:[TCP::client_port] set node [IP::server_addr]:[TCP::server_port] set nodeResp [HTTP::status] set payloadLength [HTTP::payload length] set responseTime [expr $http_response_time - $http_request_time] Build the Response log line set response_log_line "$client $node $nodeResp $payloadLength $responseTime $http_request_time $xforwardfor" log local0.info "Response - $response_log_line" Write Request and Response log lines to the LTM log HSL::send $hsl "IRULE_COMMON_LOG : $request_log_line - $response_log_line" } }
bogdanalexandruNimbostratus
It's all about the default syslog message format as it turns out.
Here's what worked for me:
- Request Logging Template = $DATE_MON $DATE_DD $TIME_HMS slot1/NNORM3-LB002V01 notice msg[HTTP-REQ-LOG] src-ip=$CLIENT_IP method=$HTTP_METHOD uri=$HTTP_URI* everything that is not preceded by $ (text in bold) is just simple text i entered that appears "as is" in logs
- syslog-ng filter = host("NNORM3-LB002V01" ) and match("HTTP-REQ-LOG" value("MESSAGE"))
- log message example = Jun 29 01:28:27 slot1/NNORM3-LB002V01 notice msg[HTTP-REQ-LOG] src-ip=10.250.158.188 method=GET uri=/dsa-claims
Enjoy