Forum Discussion
Mark_62437
Nimbostratus
NimbostratusIdentifying specific Header and logging time they attach?
I have created the following iRule:
Keep in mind first kick at the cat.
when HTTP_REQUEST {
if { [HTTP::header] contains "True-Client-IP" }
log local0. "in HTTP_REQUEST"
I am trying to log everytime traffic from the above header passes inbound. I read that the log file can be very large. All I need is to identify what time traffic from this header passes. Will the above iRule do this or is it to basic?
Thanks
Mark
3 Replies
- You might try this:
when HTTP_REQUEST { Log the start of a new HTTP request set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]" log local0. "$LogString (request)" }
I lifted this bit from a larger iRule
http://devcentral.f5.com/wiki/default.aspx/iRules/LogTcpAndHttpRequestResponseInfo.html
...that logs a ton of additional information. Log size can be concerning, especially if you have a lot of traffic. Why not log these entries off of the LTM completely, via syslog? There's some information on syslogging from within an iRule here:
http://devcentral.f5.com/wiki/default.aspx/iRules/log.html 
Mark_62437Thanks jquinby!
Colin, how would you suggest I cut down the log files?- The rule could be as short as:
when HTTP_REQUEST { if { [HTTP::header exists "True-Client-IP"] } { set LogString "[IP::client_addr]" log local0. "$LogString" } }
The date and timestamp would be added by your logging facility, yielding lines that should look something like this:Dec 10 11:43:09 bigip tmm tmm[1653]: Rule simple_timestamp : 10.10.10.102
(the odd character is the forum trying to render the PID as a control character of some kind)
