External logging writes twice

Question

Hi Guys,&nbsp;
&nbsp;I have a problem with an external logging because irule writes twice lines. Here's the code:&nbsp;
&nbsp;when CLIENT_ACCEPTED {
&nbsp;   set hsl [HSL::open -proto UDP -pool syslog_server_pool]
&nbsp;}
&nbsp;when HTTP_REQUEST {
&nbsp;   set LogUri [HTTP::uri] 
&nbsp;}
&nbsp;when HTTP_RESPONSE {
&nbsp;    if {[HTTP::status] eq 200} {
&nbsp;        set now [clock format [clock seconds] -format "%d/%b/%Y:%H:%M:%S %z"]
&nbsp;        set LogString "[IP::client_addr] - - $$$now$$ \"GET $LogUri HTTP/[HTTP::version]\" [HTTP::status] [HTTP::payload length]"
&nbsp;        log -noname local0. "$LogString"
&nbsp;        log -noname 192.168.1.152 local0. "$LogString"
&nbsp;        HSL::send $hsl "$LogString"
&nbsp;    }
&nbsp;}&nbsp;&nbsp;
&nbsp;with line "log -noname local0. ..." it works perfectly well.
&nbsp;But, when log goes externally using log or HSL, it writes twice: the first line, origin IP is from web client. The origin iP on second line is from LTM.
&nbsp;I made a capture using wireshark and there's two messages, so that's why I got 2 lines with the same content.&nbsp;
&nbsp;Where is the /var/log/ltm output:
&nbsp;Dec 16 18:13:06 local/tmm1 info tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:06 -0600] "GET /articulos/62079.html HTTP/1.1" 200 1021
&nbsp;Dec 16 18:13:08 local/tmm info tmm[5103]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /lo_mas/lasmasNotas.html?_=1292544726571 HTTP/1.1" 200 1038
&nbsp;Dec 16 18:13:08 local/tmm1 info tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /destacamos/destacamos100.html?_=1292544727392 HTTP/1.1" 200 1036
&nbsp;Dec 16 18:13:09 local/tmm1 info tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:09 -0600] "GET /favicon.ico HTTP/1.1" 200 1068&nbsp;&nbsp;
&nbsp;Where is the syslog output:
&nbsp;Dec 16 18:12:22 192.168.1.10 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:06 -0600] "GET /articulos/62079.html HTTP/1.1" 200 1021
&nbsp;Dec 16 18:12:22 192.168.1.162 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:06 -0600] "GET /articulos/62079.html HTTP/1.1" 200 1021
&nbsp;Dec 16 18:12:22 192.168.1.10 192.168.1.162 - - [16/Dec/2010:18:13:06 -0600] "GET /articulos/62079.html HTTP/1.1" 200 1021
&nbsp;Dec 16 18:12:22 192.168.1.162 192.168.1.162 - - [16/Dec/2010:18:13:06 -0600] "GET /articulos/62079.html HTTP/1.1" 200 1021
&nbsp;Dec 16 18:12:23 192.168.1.10 tmm[5103]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /lo_mas/lasmasNotas.html?_=1292544726571 HTTP/1.1" 200 1038
&nbsp;Dec 16 18:12:23 192.168.1.10 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /lo_mas/lasmasNotas.html?_=1292544726571 HTTP/1.1" 200 1038
&nbsp;Dec 16 18:12:23 192.168.1.162 tmm[5103]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /lo_mas/lasmasNotas.html?_=1292544726571 HTTP/1.1" 200 1038
&nbsp;Dec 16 18:12:23 192.168.1.162 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /lo_mas/lasmasNotas.html?_=1292544726571 HTTP/1.1" 200 1038
&nbsp;Dec 16 18:12:24 192.168.1.10 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /destacamos/destacamos100.html?_=1292544727392 HTTP/1.1" 200 1036
&nbsp;Dec 16 18:12:24 192.168.1.10 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /destacamos/destacamos100.html?_=1292544727392 HTTP/1.1" 200 1036
&nbsp;Dec 16 18:12:24 192.168.1.162 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /destacamos/destacamos100.html?_=1292544727392 HTTP/1.1" 200 1036
&nbsp;Dec 16 18:12:24 192.168.1.162 192.168.1.162 - - [16/Dec/2010:18:13:08 -0600] "GET /destacamos/destacamos100.html?_=1292544727392 HTTP/1.1" 200 1036
&nbsp;Dec 16 18:12:25 192.168.1.10 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:09 -0600] "GET /favicon.ico HTTP/1.1" 200 1068
&nbsp;Dec 16 18:12:25 192.168.1.10 192.168.1.162 - - [16/Dec/2010:18:13:09 -0600] "GET /favicon.ico HTTP/1.1" 200 1068
&nbsp;Dec 16 18:12:25 192.168.1.162 tmm1[5104]: 192.168.1.162 - - [16/Dec/2010:18:13:09 -0600] "GET /favicon.ico HTTP/1.1" 200 1068
&nbsp;Dec 16 18:12:25 192.168.1.162 192.168.1.162 - - [16/Dec/2010:18:13:09 -0600] "GET /favicon.ico HTTP/1.1" 200 1068&nbsp;&nbsp;
&nbsp;IP 192.168.1.10 is for LTM, and .162 for my web client.&nbsp;&nbsp;
&nbsp;Does anyone have any hint?&nbsp;
&nbsp;Thanks in advance.&nbsp;
&nbsp;Dula.&nbsp;

hooleylist · Answer

Hi Dula, 
&nbsp;  
&nbsp; Can you clarify what you're actually trying to do?   
&nbsp;  
&nbsp; HSL is going to be much more efficient than logging locally.  And it should be more efficient than logging remotely using 'log $syslog_ip'.  Can you try commenting out all of the log statements except the HSL logging and check whether you see two messages in tcpdumps? 
&nbsp;  
&nbsp; Thanks, Aaron

Forum Discussion

External logging writes twice

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

Hey ChatGPT, can you write iRules?

LTM Policy don't send to external log server

Cyberattacks On Embassies, Threat Actor Using ChatGPT To Write Malware, and MMS Vulnerabilities

Writing to and rotating custom log files

CSV to Address External Datagroup File

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS