Forum Discussion

BasRoos's avatar
BasRoos
Icon for Nimbostratus rankNimbostratus
Jan 04, 2023

F5 LTM request logging via different route domain

Hi everyone! Happy new year 🙂

We are trying to configure request logging via HSL on our F5 LTM. We have the following things to start with:

  • Common partition with the default route domain, which is in an (internal) management network, and has access to some internal services, including a central syslog platform (Graylog)
  • Various other partitions, each with their own route domains, which only have access to specific networks (for discussion sake, let's say 1 public "outside" and 1 private "inside" network)

During testing, we already got the F5 to send out logs to the syslog platform (tested via tcpdump) when we created the request log profile and the pool with the (public) IP of the syslog server in the same partition as the virtual server. However, this approach would mean that we could have to create the request log profile and pool in every partition, and also arrange that every paritition is able to reach the syslog platform.

A cooler approach for us would be to put the request log profile and the pool for logging in the Common partition, using the default route domain, and configure the virtual server to use this profile to log. However, when we configure this, we see no logs leaving the F5 (testing via tcpdump).

We are not sure if it is even technically possible to use a logging profile in the Common partition and another route domain than the one in which the virtual server resides, but also couldn't find this information in the documentation.

Some technical info:

Configuration:

 

ltm pool /Common/graylog-common {
    members {
        /Common/graylog-common-service:514 {
            address 172.18.37.100%0
        }
    }
}
ltm profile request-log /Common/graylog-common {
    app-service none
    defaults-from /Common/request-log
    response-log-pool /Common/graylog-common
    response-log-template "{\"text\": \"value\"}"
    response-logging enabled
}
ltm virtual vs_public_requestlog-test_80 {
    creation-time 2023-01-04:09:20:17
    destination <a public IP>%15:80
    ip-protocol tcp
    last-modified-time 2023-01-04:09:45:26
    mask 255.255.255.255
    partition Test
    pool <pool name>
    profiles {
        /Common/graylog-common { }
        /Common/http { }
        /Common/tcp { }
    }
    serverssl-use-sni disabled
    source <test source IP network>/24
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vs-index 7
}

 

The route domain 0 has a default route into our management network, and we can reach the logging server IP from there (tested via rdexec 0 ping <IP> as well as a telnet to a TCP port which we know is open on that platform as well).

The route domain 15 has a default route towards the internet and some internal routes to reach the "inside" network. It cannot reach the syslog platform via the configured private IP (172.18.37.100) which is as intended.

We also tested a similar configuration, but using the public IP of the syslog platform instead (which is reachable from route domain 15, and not from route domain 0), but also did not see any syslog traffic leave the F5.

So in short, my questions are:

  • Is it technically possible to send HSL request logs to a syslog server which is reachable from another route domain as the one in which the virtual server is configured
  • If yes, any idea what configuration we are missing to achieve this?
  • If no, is there another way we could use a request-log profile in the Common partition which can be used by all other partitions?

Thanks for taking the time to read thus far, and even more so if you have some spare time to help us out 🙂

  • Hi!

    Have you tried this irule? : 

    when CLIENT_ACCEPTED {
      set my_hsl [HSL::open -publisher /<partition>/<log publisher>]
    }
    when HTTP_REQUEST {
      HSL::send $my_hsl "Request: [HTTP::host][HTTP::uri]"
      log local0.info "Request: [HTTP::host][HTTP::uri]"
    }
    when CLIENT_CLOSED {
      unset my_hsl
    }

    I found this here: 

    https://support.f5.com/csp/article/K50040950

     

  • Thanks for your reply mihaic! I had not run into that page yet, and does look promising. At first glance it works a bit different than what I had in mind, and uses iRules where I found the request-log profile a more elegant solution.

    I did try to implement it just now, but did not see any traffic leave the F5 yet. I might need to spend a bit more time fiddling with it. If I can get that to work, then it is at least better than having to create a configuration for each partition 🙂