Forum Discussion

Dula_Hernandez_'s avatar
Dula_Hernandez_
Icon for Nimbostratus rankNimbostratus
Dec 16, 2010

External logging writes twice

Hi Guys,

 

 

I have a problem with an external logging because irule writes twice lines. Here's the code:

 

 

when CLIENT_ACCEPTED {

 

set hsl [HSL::open -proto UDP -pool syslog_server_pool]

 

}

 

when HTTP_REQUEST {

 

set LogUri [HTTP::uri]

 

}

 

when HTTP_RESPONSE {

 

if {[HTTP::status] eq 200} {

 

set now [clock format [clock seconds] -format "%d/%b/%Y:%H:%M:%S %z"]

 

set LogString "[IP::client_addr] - - \[$now\] \"GET $LogUri HTTP/[HTTP::version]\" [HTTP::status] [HTTP::payload length]"

 

log -noname local0. "$LogString"

 

log -noname 192.168.1.152 local0. "$LogString"

 

HSL::send $hsl "$LogString"

 

}

 

}

 

 

 

with line "log -noname local0. ..." it works perfectly well.

 

But, when log goes externally using log or HSL, it writes twice: the first line, origin IP is from web client. The origin iP on second line is from LTM.

 

I made a capture using wireshark and there's two messages, so that's why I got 2 lines with the same content.

 

 

Where is the /var/log/ltm output:

 

Dec 16 18:13:06 local/tmm1 info tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:06 -0600] "GET /articulos/62079.html HTTP/1.1" 200 1021

 

Dec 16 18:13:08 local/tmm info tmm[5103]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /lo_mas/lasmasNotas.html?_=1292544726571 HTTP/1.1" 200 1038

 

Dec 16 18:13:08 local/tmm1 info tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /destacamos/destacamos100.html?_=1292544727392 HTTP/1.1" 200 1036

 

Dec 16 18:13:09 local/tmm1 info tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:09 -0600] "GET /favicon.ico HTTP/1.1" 200 1068

 

 

 

Where is the syslog output:

 

Dec 16 18:12:22 192.168.1.10 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:06 -0600] "GET /articulos/62079.html HTTP/1.1" 200 1021

 

Dec 16 18:12:22 192.168.1.162 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:06 -0600] "GET /articulos/62079.html HTTP/1.1" 200 1021

 

Dec 16 18:12:22 192.168.1.10 192.168.1.162 - - [16/Dec/2010:18:13:06 -0600] "GET /articulos/62079.html HTTP/1.1" 200 1021

 

Dec 16 18:12:22 192.168.1.162 192.168.1.162 - - [16/Dec/2010:18:13:06 -0600] "GET /articulos/62079.html HTTP/1.1" 200 1021

 

Dec 16 18:12:23 192.168.1.10 tmm[5103]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /lo_mas/lasmasNotas.html?_=1292544726571 HTTP/1.1" 200 1038

 

Dec 16 18:12:23 192.168.1.10 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /lo_mas/lasmasNotas.html?_=1292544726571 HTTP/1.1" 200 1038

 

Dec 16 18:12:23 192.168.1.162 tmm[5103]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /lo_mas/lasmasNotas.html?_=1292544726571 HTTP/1.1" 200 1038

 

Dec 16 18:12:23 192.168.1.162 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /lo_mas/lasmasNotas.html?_=1292544726571 HTTP/1.1" 200 1038

 

Dec 16 18:12:24 192.168.1.10 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /destacamos/destacamos100.html?_=1292544727392 HTTP/1.1" 200 1036

 

Dec 16 18:12:24 192.168.1.10 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /destacamos/destacamos100.html?_=1292544727392 HTTP/1.1" 200 1036

 

Dec 16 18:12:24 192.168.1.162 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /destacamos/destacamos100.html?_=1292544727392 HTTP/1.1" 200 1036

 

Dec 16 18:12:24 192.168.1.162 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /destacamos/destacamos100.html?_=1292544727392 HTTP/1.1" 200 1036

 

Dec 16 18:12:25 192.168.1.10 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:09 -0600] "GET /favicon.ico HTTP/1.1" 200 1068

 

Dec 16 18:12:25 192.168.1.10 192.168.1.162 - - [16/Dec/2010:18:13:09 -0600] "GET /favicon.ico HTTP/1.1" 200 1068

 

Dec 16 18:12:25 192.168.1.162 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:09 -0600] "GET /favicon.ico HTTP/1.1" 200 1068

 

Dec 16 18:12:25 192.168.1.162 192.168.1.162 - - [16/Dec/2010:18:13:09 -0600] "GET /favicon.ico HTTP/1.1" 200 1068

 

 

 

IP 192.168.1.10 is for LTM, and .162 for my web client.

 

 

 

Does anyone have any hint?

 

 

Thanks in advance.

 

 

Dula.

 

1 Reply

  • Hi Dula,

     

     

    Can you clarify what you're actually trying to do?

     

     

    HSL is going to be much more efficient than logging locally. And it should be more efficient than logging remotely using 'log $syslog_ip'. Can you try commenting out all of the log statements except the HSL logging and check whether you see two messages in tcpdumps?

     

     

    Thanks, Aaron