External logging writes twice

Question

Hi Guys,&nbsp;
&nbsp;I have a problem with an external logging because irule writes twice lines. Here's the code:&nbsp;
&nbsp;when CLIENT_ACCEPTED {
&nbsp;   set hsl [HSL::open -proto UDP -pool syslog_server_pool]
&nbsp;}
&nbsp;when HTTP_REQUEST {
&nbsp;   set LogUri [HTTP::uri] 
&nbsp;}
&nbsp;when HTTP_RESPONSE {
&nbsp;    if {[HTTP::status] eq 200} {
&nbsp;        set now [clock format [clock seconds] -format "%d/%b/%Y:%H:%M:%S %z"]
&nbsp;        set LogString "[IP::client_addr] - - $$$now$$ \"GET $LogUri HTTP/[HTTP::version]\" [HTTP::status] [HTTP::payload length]"
&nbsp;        log -noname local0. "$LogString"
&nbsp;        log -noname 192.168.1.152 local0. "$LogString"
&nbsp;        HSL::send $hsl "$LogString"
&nbsp;    }
&nbsp;}&nbsp;&nbsp;
&nbsp;with line "log -noname local0. ..." it works perfectly well.
&nbsp;But, when log goes externally using log or HSL, it writes twice: the first line, origin IP is from web client. The origin iP on second line is from LTM.
&nbsp;I made a capture using wireshark and there's two messages, so that's why I got 2 lines with the same content.&nbsp;
&nbsp;Where is the /var/log/ltm output:
&nbsp;Dec 16 18:13:06 local/tmm1 info tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:06 -0600] "GET /articulos/62079.html HTTP/1.1" 200 1021
&nbsp;Dec 16 18:13:08 local/tmm info tmm[5103]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /lo_mas/lasmasNotas.html?_=1292544726571 HTTP/1.1" 200 1038
&nbsp;Dec 16 18:13:08 local/tmm1 info tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /destacamos/destacamos100.html?_=1292544727392 HTTP/1.1" 200 1036
&nbsp;Dec 16 18:13:09 local/tmm1 info tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:09 -0600] "GET /favicon.ico HTTP/1.1" 200 1068&nbsp;&nbsp;
&nbsp;Where is the syslog output:
&nbsp;Dec 16 18:12:22 192.168.1.10 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:06 -0600] "GET /articulos/62079.html HTTP/1.1" 200 1021
&nbsp;Dec 16 18:12:22 192.168.1.162 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:06 -0600] "GET /articulos/62079.html HTTP/1.1" 200 1021
&nbsp;Dec 16 18:12:22 192.168.1.10 192.168.1.162 - - [16/Dec/2010:18:13:06 -0600] "GET /articulos/62079.html HTTP/1.1" 200 1021
&nbsp;Dec 16 18:12:22 192.168.1.162 192.168.1.162 - - [16/Dec/2010:18:13:06 -0600] "GET /articulos/62079.html HTTP/1.1" 200 1021
&nbsp;Dec 16 18:12:23 192.168.1.10 tmm[5103]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /lo_mas/lasmasNotas.html?_=1292544726571 HTTP/1.1" 200 1038
&nbsp;Dec 16 18:12:23 192.168.1.10 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /lo_mas/lasmasNotas.html?_=1292544726571 HTTP/1.1" 200 1038
&nbsp;Dec 16 18:12:23 192.168.1.162 tmm[5103]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /lo_mas/lasmasNotas.html?_=1292544726571 HTTP/1.1" 200 1038
&nbsp;Dec 16 18:12:23 192.168.1.162 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /lo_mas/lasmasNotas.html?_=1292544726571 HTTP/1.1" 200 1038
&nbsp;Dec 16 18:12:24 192.168.1.10 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /destacamos/destacamos100.html?_=1292544727392 HTTP/1.1" 200 1036
&nbsp;Dec 16 18:12:24 192.168.1.10 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /destacamos/destacamos100.html?_=1292544727392 HTTP/1.1" 200 1036
&nbsp;Dec 16 18:12:24 192.168.1.162 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /destacamos/destacamos100.html?_=1292544727392 HTTP/1.1" 200 1036
&nbsp;Dec 16 18:12:24 192.168.1.162 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /destacamos/destacamos100.html?_=1292544727392 HTTP/1.1" 200 1036
&nbsp;Dec 16 18:12:25 192.168.1.10 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:09 -0600] "GET /favicon.ico HTTP/1.1" 200 1068
&nbsp;Dec 16 18:12:25 192.168.1.10 192.168.1.162 - - [16/Dec/2010:18:13:09 -0600] "GET /favicon.ico HTTP/1.1" 200 1068
&nbsp;Dec 16 18:12:25 192.168.1.162 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:09 -0600] "GET /favicon.ico HTTP/1.1" 200 1068
&nbsp;Dec 16 18:12:25 192.168.1.162 192.168.1.162 - - [16/Dec/2010:18:13:09 -0600] "GET /favicon.ico HTTP/1.1" 200 1068&nbsp;&nbsp;
&nbsp;IP 192.168.1.10 is for LTM, and .162 for my web client.&nbsp;&nbsp;
&nbsp;Does anyone have any hint?&nbsp;
&nbsp;Thanks in advance.&nbsp;
&nbsp;Dula.&nbsp;

hoolio · Answer

Hi Dula, 
&nbsp;  
&nbsp; Can you clarify what you're actually trying to do?   
&nbsp;  
&nbsp; HSL is going to be much more efficient than logging locally.  And it should be more efficient than logging remotely using 'log $syslog_ip'.  Can you try commenting out all of the log statements except the HSL logging and check whether you see two messages in tcpdumps? 
&nbsp;  
&nbsp; Thanks, Aaron

Forum Discussion

External logging writes twice

1 Reply

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

2026 301a exam

F5OS login with admin/root failed via console

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

UCS Encryption Question

Unblock Request WAF

Related Content

Hey DeepSeek, can you write iRules?

Hey Claude, can you write iRules?

Hey ChatGPT, can you write iRules?

Writing to and rotating custom log files

Forwarding Logs to SIEM Tools via HTTP Proxy for F5 Distributed Cloud Global Log Receiver

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS