Forum Discussion
Benjamin_8557
Apr 22, 2016Altostratus
[HSL] log iRule events with HSL
Hi,
I try to send logs events in iRule with HSL but I don't see any logs on my syslog servers (2 members in my pool).
I'm logging with de command 'log'. I can see it in my /var/log/ltm but not ...
- Apr 22, 2016
The
command uses syslog-ng on the box, and by default,log
sends messages to the facility local0. Also, by default, local0 is delivered to (and only to) /var/log/ltm.log
To use High Speed Logging, you need to utilize the
primitives:HSL::
The best approach is to create a Log Publisher, the reference that from the HSL commands. Here is an example, including the configuration for the publisher:
ltm pool pool-hsl-logging { members { syslog-server-01:514 { address 10.10.10.100 session monitor-enabled state down } syslog-server-02:514 { address 10.10.10.200 session monitor-enabled state down } } monitor gateway_icmp } sys log-config destination remote-high-speed-log dest-hsl-logging { pool-name pool-hsl-logging protocol udp } sys log-config destination remote-syslog dest-syslog { format rfc5424 remote-high-speed-log dest-hsl-logging } sys log-config publisher publisher-remote-syslog { destinations { dest-syslog { } } }
An iRule using this might look like:
when RULE_INIT { set static::general_remote_syslog_publisher "publisher-remote-syslog" } when CLIENT_ACCEPTED { set hsl [HSL::open -publisher $static::general_remote_syslog_publisher] HSL::send $hsl "Client connect from [IP::client_addr]:[TCP::client_port]" } when HTTP_REQUEST { if { [HTTP::header exists X-Forwarded-For] } { HSL::send $hsl "Client has X-Forwarded-For: [HTTP::header X-Forwarded-For]" } else { HSL::send $hsl "Client has no X-Forwarded-For" } }
Vernon_97235
Apr 22, 2016Historic F5 Account
The
log
command uses syslog-ng on the box, and by default, log
sends messages to the facility local0. Also, by default, local0 is delivered to (and only to) /var/log/ltm.
To use High Speed Logging, you need to utilize the
HSL::
primitives:
The best approach is to create a Log Publisher, the reference that from the HSL commands. Here is an example, including the configuration for the publisher:
ltm pool pool-hsl-logging {
members {
syslog-server-01:514 {
address 10.10.10.100
session monitor-enabled
state down
}
syslog-server-02:514 {
address 10.10.10.200
session monitor-enabled
state down
}
}
monitor gateway_icmp
}
sys log-config destination remote-high-speed-log dest-hsl-logging {
pool-name pool-hsl-logging
protocol udp
}
sys log-config destination remote-syslog dest-syslog {
format rfc5424
remote-high-speed-log dest-hsl-logging
}
sys log-config publisher publisher-remote-syslog {
destinations {
dest-syslog { }
}
}
An iRule using this might look like:
when RULE_INIT {
set static::general_remote_syslog_publisher "publisher-remote-syslog"
}
when CLIENT_ACCEPTED {
set hsl [HSL::open -publisher $static::general_remote_syslog_publisher]
HSL::send $hsl "Client connect from [IP::client_addr]:[TCP::client_port]"
}
when HTTP_REQUEST {
if { [HTTP::header exists X-Forwarded-For] } {
HSL::send $hsl "Client has X-Forwarded-For: [HTTP::header X-Forwarded-For]"
}
else {
HSL::send $hsl "Client has no X-Forwarded-For"
}
}
- TheManuApr 28, 2016NimbostratusHi, thanks for this good example. It didn't work for me in the beginning. I then added a message filter and applied it to the publisher and now it's running. Let's check the syslog what i receive.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects