For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mike_73765's avatar
Mike_73765
Icon for Nimbostratus rankNimbostratus
Nov 17, 2010

Irule for remote logging

Hey guys,

 

 

 

I have a one are configuration, and I want to log each connection to a syslog server. I want to log client ip address along with node ip address. I'm assuming I'll have to use 2 events, http_request and lb_selected.

 

 

Could someone please help me out with the syntax?

 

 

Thanks,

 

Mike
application delivery
dev
devops
iRules

7 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 17, 2010
    Hi Mike,

    If you're on 10.1+ you could use the HSL commands and log a single entry in SERVER_CONNECTED when LTM establishes a connection with the pool member. Here's an untested example: 

    
when CLIENT_ACCEPTED {
   set hsl [HSL::open -proto UDP -pool syslog_server_pool]
}
when SERVER_CONNECTED {
    Log HTTP request via syslog protocol as local7.info; see RFC 3164 for more info
   HSL::send $hsl "<190> Client: [IP::client_addr]:[TCP::client_port], VS: [clientside {IP::local_addr}][clientside {TCP::local_port}], SNAT: [IP::local_addr]:[TCP::local_port], Pool member [IP::server_addr]:[TCP::server_port]"
}

    Else, if you're on 9.4.0 - 10.0.x, you could use log -remote to send the messages to a remote syslog server without going through the local syslog-ng daemon:

    log command wiki page:

    http://devcentral.f5.com/wiki/default.aspx/iRules/log

    iRules Update: New options for the "log" command

    http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=190

    Aaron
  • Mike_73765's avatar
    Mike_73765
    Icon for Nimbostratus rankNimbostratus
    Nov 18, 2010
    Thanks Aaron.

     

     

    Here's what i have so far. How can i concatenate this information from the 2 events into one log message that is sent to the syslog server, per connection?

     

     

     

    when CLIENT_ACCEPTED {

     

    log 10.10.231.1 local0.info "Client Connected, IP: [IP::client_addr]"

     

    }

     

    when SERVER_CONNECTED {

     

    log 10.10.231.1 local0.info "And Pool member [IP::server_addr]:[TCP::server_port]"

     

    }
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 18, 2010
    Sure: [IP::client_addr] is available any time after the connection from the client to the VS is established: 

    
when SERVER_CONNECTED { 
   log 10.10.231.1 local0.info "Client: [IP::client_addr], Pool member [IP::server_addr]:[TCP::server_port]"
}

    Also, if you're already SNAT'ing all of the serverside traffic you should consider adding a default OneConnect profile to the virtual server to re-use the serverside connections and reduce LTM and server load.

    Aaron
  • sprashanthac_81's avatar
    sprashanthac_81
    Icon for Nimbostratus rankNimbostratus
    Feb 02, 2011
    Everyone is writing the irule but none of them telling what this irule is used for and how to implement it. The usage is very important
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Feb 03, 2011
    Hi sprashanthac,

     

     

    See my reply here:

     

     

    http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/afv/topic/aft/1144945/aff/5/showtab/groupforums/Default.aspx

     

     

    Aaron
  • sprashanthac_81's avatar
    sprashanthac_81
    Icon for Nimbostratus rankNimbostratus
    Feb 08, 2011
    Thanks Aaron. This one is a good solution for HSL logging. will try this and get back on more issues. Seems like I need more detailed way of logging set up for each type of log. Will post the question.