For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

EC7's avatar
EC7
Icon for Nimbostratus rankNimbostratus
Jul 01, 2016

IRULE -Caused Errors

I am VERY new to irules. I added the irule below to the my virtual server and 10 minutes later the team notified me that their application was getting errors. I need an irule that will send client IP, VS, Pool memeber information to a syslog (for my VS that are using SNAT).

 

when CLIENT_ACCEPTED { log 10.1.1.1 local0.info "Client Connected, IP: [IP::client_addr]" } when SERVER_CONNECTED { log 10.1.1.1 local0.info "Client: [IP::client_addr], Pool member [IP::server_addr]:[TCP::server_port]" }

 

Thanks, EC7

 

application delivery
iRules

6 Replies

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jul 01, 2016

    Hi,

     

    This irule does nothing except logging... if it cause issues, it may write error with "TCL error" pattern in /var/log/ltm. find it to be sure what is wrong in your irule.

     

    I'm not sure it is a good idea to specify a remote address in log command (I never used it).

     

    Maybe it is the cause of the issue. I suggest to remove IP from log commands and configure remote logging on the system. another way is to use HSL (high speed logging).

     

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Jul 01, 2016

    Try this to see if simple logging on the F5 works & if there are no application issues:

    when CLIENT_ACCEPTED { 
    log local0.info "Client Connected, IP: [IP::client_addr]" 
}

when SERVER_CONNECTED { 
    log local0.info "Client: [IP::client_addr], Pool member [IP::server_addr]:[TCP::server_port]" 
}

    If there are no issues with the application, then try adding the "log 10.1.1.1" statement. This is to rule out any issues with specific logging to the syslog server.

    I think you need to use something like this - basically, swap the position of the address and the "local0.info" statement:

    log local0.info 10.1.1.1 "Client Connected, IP: [IP::client_addr]"

    https://devcentral.f5.com/articles/the101-irules-101-logging-amp-comments

  • EC7's avatar
    EC7
    Icon for Nimbostratus rankNimbostratus
    Jul 01, 2016

    Thank you all for the information.

     

    Odaah, I tested your suggestion (log local0....) with the Application's team and everything tested successfully. Using the local0...does that mean I am now sending information to the local sys log (var/log/ltm)? If so how can I send it to the remote sys logs?

     

    Stanislas, You suggested using HSL would it work in a VCMP (with two guests) setup. Do you have any links to documentation for a HSL?

     

  • VernonWells's avatar
    VernonWells
    Icon for Employee rankEmployee
    Jul 01, 2016

    HSL logging info is here: https://devcentral.f5.com/wiki/iRules.HSL.ashx.

    Yes, it will work with vCMP guests. You should create a Log Publisher:

    Then, to use it:

    when CLIENT_ACCEPTED {
     assuming you created the publisher in the /Common partition...
    set hsl [HSL::open -publisher /Common/your_publisher_name]
    
     this logs using facility local0 with level info (that's what the "134" means)...
    HSL::send $hsl "<134> your log message here..."
}