Forum Discussion
NimbostratusF5 - Splunk Logging for Layer 7 XML response
Hi Guys,
Need some help on the below iRule.
Scenario below
Client ------------ > F5 -------------> Layer 7 (XML application)
Also the F5 has a iRule which capture the request and response data and forward this to Splunk .
Issue - iRule is working fine as expected except that the response data does not have a Content-Lenght field in the header as it is XML. So i am not able to find out what is the Content-Lenght to capture and forward to Splunk.
I have defined a numeric value of 200k a static HTTP:content
iRule as below ---
-------------------------------------------------------------------------------------------------------------------------
when CLIENT_ACCEPTED {
set hsl [HSL::open -proto TCP -pool Splunk_Pool]
set request_time [clock format [clock seconds] -format "%d/%b/%Y:%H:%M:%S %z"]
set unique_id [string range [AES::key 256] 8 15]
set trans_id [string range [AES::key 256] 8 31]
set src_ip [IP::client_addr]
set src_port [TCP::client_port]
set dst_ip [IP::local_addr]
set dst_port [TCP::local_port]
}
when HTTP_REQUEST {
if { [HTTP::header Content-Length] > 0 }{
HTTP::collect [HTTP::header Content-Length]
}
set method [HTTP::method]
set uri [HTTP::uri]
set version [HTTP::version]
foreach aHeader [HTTP::header names] {
append request_headers "$aHeader: [HTTP::header value $aHeader]\n"
}
}
when HTTP_REQUEST_DATA {
set request [HTTP::payload]
log local0. "$request"
HTTP::release
}
when HTTP_RESPONSE {
if { [HTTP::header Content-Length] > 0 }{
HTTP::collect [HTTP::header Content-Length]
}
HTTP::collect [HTTP::header Content-Length]
foreach bHeader [HTTP::header names] {
append response_headers "$bHeader: [HTTP::header value $bHeader]\n"
}
set status [HTTP::status]
}
when HTTP_RESPONSE_DATA {
set response [HTTP::payload]
log local0. "$response"
HTTP::release
}
when CLIENT_CLOSED {
set log_data "\[$request_time\] $trans_id $src_ip $src_port $dst_ip $dst_port \n"
append log_data "Client Header:\n"
append log_data "$method $uri $version\n"
append log_data $request_headers
append log_data "\nClient Body:\n"
append log_data "$request\n"
append log_data "\nServer Header:\n"
append log_data "HTTP/$version $status\n$response_headers\n"
append log_data "Server Body:\n"
append log_data "$response\n"
append log_data "_EOF_\n"
HSL::send $hsl $log_data
}
-------------------------------------------------------------------------------------------------------------------------
when i use the above iRule i can see the request go through and response come back however the F5 doesnt forward any packets to Splunk as it has the following error :
- expected integer but got ""Illegal argument. Invalid integer value (line 1) invoked from within "HTTP::collect [HTTP::header Transfer-Enconding]"
The method that XML uses is Transfer-Enconding.
So the option is to write a iRule with static Content-Length : 200k (as example) and this works i am able to capture all data required and log it. Changing this in the irule for both the HTTP_REQUEST and HTTP_RESPONSE section.
when HTTP_REQUEST {
HTTP::collect 204800
set method [HTTP::method]
set uri [HTTP::uri]
set version [HTTP::version]
foreach aHeader [HTTP::header names] {
append request_headers "$aHeader: [HTTP::header value $aHeader]\n"
}
}
------------------------------------------------
when HTTP_RESPONSE {
HTTP::collect 204800
foreach bHeader [HTTP::header names] {
append response_headers "$bHeader: [HTTP::header value $bHeader]\n"
}
set status [HTTP::status]
}
-----------------------------------------------
* Problem with this is if the response data if it is more than 200k it will truncate this or less than 200k waits for the data to return before forwaring to Splunk.
Second option to some how read the XML response and determine the message length for F5 to capture these.
Any help appreciated.
Regards
Sriram.
