For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

5 Replies

  • Henrik_Gyllkran's avatar
    Henrik_Gyllkran
    Icon for Nimbostratus rankNimbostratus
    May 09, 2014

    What exactly is it that you want to log? You could capture the payload of the packets with TCP::collect and then send it a syslog server with HSL. It's a bit messy but it might fulfil your requirements.

     

  • babudheen_72823's avatar
    babudheen_72823
    Icon for Nimbostratus rankNimbostratus
    May 09, 2014

    Hi Henrik,

     

    Can you provide more details about HSL and how I can achieve this using HSL. As I not much familiar with HSL, I am expecting some sort of help from you.

     

    Regards Babu

     

  • Henrik_Gyllkran's avatar
    Henrik_Gyllkran
    Icon for Nimbostratus rankNimbostratus
    May 09, 2014

    HSL, or High Speed Logging is as feature to allow for syslog messages to be sent directly from TMM. We can use this in iRules among other things. HSL is described in the iRules wiki here on devcentral:

     

    https://devcentral.f5.com/wiki/iRules.HSL.ashx

     

    As for how to do this, you didn't specify exactly what you want to log from the traffic so it's kind of hard to say. Can you provide more information?

     

  • babu_7813's avatar
    babu_7813
    Icon for Nimbostratus rankNimbostratus
    May 19, 2014

    Hi Henrik,

     

    Thanks for the update. Can you give me more details how i can enable for one particular VIP to send logs using HSL?

     

    Regard Babu

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 19, 2014

    There's a few ways to do this:

    1. An iRule - if you want to be very specific about what you log, you can issue an HSL log statement within an iRule. Example:

      when CLIENT_ACCEPTED {
    set hsl [HSL::open -proto UDP -pool syslog-pool]
}
when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::uri]] {
        "/app1*" {
            HSL::send $hsl "<134>User accessing /app1 from [IP::client_addr]"
        }
        "/app2*" {
            HSL::send $hsl "<134>User accessing /app2 from [IP::client_addr]"
        }
    }
}

    2. A request logging profile - under Local Traffic - Profiles - Other - Request Logging, create a request logging profile that details what data you want captured and what syslog pool you want it sent to. This is quite a bit more brute force than the iRule approach, so maybe not entirely what you're looking for. Here's some additional information on the request logging profile nonetheless:

      http://support.f5.com/kb/en-us/products/big-ip-aam/manuals/product/aam-implementations-11-4-0/20.html?sr=33764514