For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

martyn's avatar
martyn
Icon for Altostratus rankAltostratus
Oct 08, 2020
Solved

iRule HSL logging question with user specified text

I wish to log via HSL a mesage that contains some repeatable text as well as some user generated text. so one of two ways to get text generated I can see. But I some issues with each method. #1: Use ...
application delivery
iRules
LTM
security
  • Dario_Garrido's avatar
    Dario_Garrido
    Oct 20, 2020

    Hello Martin.

    With a request-logging profile you can set any kind of format in the template field.

    An example of CEF format:

    CEF:0|F5|MyEnv|1|sip=$CLIENT_IP sprt=$CLIENT_PORT snatip=$SNAT_IP snatprt=$SNAT_PORT dstip=$SERVER_IP dstprt=$SERVER_PORT dhost=$BIGIP_HOSTNAME apm=$X_APM

    Where 'X_APM can be configured injecting an HTTP header:

    when HTTP_REQUEST {
	HTTP::header replace X_APM [ACCESS::session data get session.custom.name]
}
when HTTP_REQUEST_RELEASE {
	HTTP::header remove X_APM
}

    ---

    In case you still want to use an iRule, you can get those parameters with:

    1) Hostname

    $static::tcl_platform(machine)

    2) Time

    set curtime [clock seconds]
set formattedtime [clock format $curtime]
log "$curtime seconds since epoch, $formattedtime"

    Output: 1129552706 seconds since epoch, Mon Oct 17 07:38:26 CDT 2005

    Regards,

    Dario.

Dario_Garrido's avatar
Dario_Garrido
Icon for Noctilucent rankNoctilucent
Oct 19, 2020

Hello Martin.

 

It's better to use a request logging profile.

https://support.f5.com/csp/article/K00847516

 

You can add extra variables injecting HTTP headers into the HTTP_REQUEST and referencing them with the same name of the header:

$BIGIP_HOSTNAME $Host ${X-Forwarded-For} ...

 

If you want to avoid sending those headers to the backend server, you can remove them again using this event:

https://clouddocs.f5.com/api/irules/HTTP-REQUEST-RELEASE.html

 

Regards,

Dario.

  • martyn's avatar
    martyn
    Icon for Altostratus rankAltostratus
    Oct 19, 2020
    Thanks, Not sure that would work in this case. What I need to simulate is the CEF logging format and that is not available from a native profile format choice, plus the data I need to pass in (some arbitrary data). If in effect I am manually writing the CEF formatted message out by a number of profile objects/variables and as well a HTTP header variable(s) or two as data place holders I pretty much may as well just manually create the whole thing via HSL as I am currently. However some (most) of the data that I want is matched from data available in a logging profile, This I am currently getting it from TCL calls, Should they have too great a performance hit I may well see if your proposal would alleviate that. I also didn't know of (think of) using HTTP_REQUEST like that. Interesting and devious I will file that one away, thank you. Martyn Roberts Vodafone/IBM Venture Swindon ISC 07881846887
    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for Noctilucent rankNoctilucent
      Oct 20, 2020

      Hello Martin.

      With a request-logging profile you can set any kind of format in the template field.

      An example of CEF format:

      CEF:0|F5|MyEnv|1|sip=$CLIENT_IP sprt=$CLIENT_PORT snatip=$SNAT_IP snatprt=$SNAT_PORT dstip=$SERVER_IP dstprt=$SERVER_PORT dhost=$BIGIP_HOSTNAME apm=$X_APM

      Where 'X_APM can be configured injecting an HTTP header:

      when HTTP_REQUEST {
	HTTP::header replace X_APM [ACCESS::session data get session.custom.name]
}
when HTTP_REQUEST_RELEASE {
	HTTP::header remove X_APM
}

      ---

      In case you still want to use an iRule, you can get those parameters with:

      1) Hostname

      $static::tcl_platform(machine)

      2) Time

      set curtime [clock seconds]
set formattedtime [clock format $curtime]
log "$curtime seconds since epoch, $formattedtime"

      Output: 1129552706 seconds since epoch, Mon Oct 17 07:38:26 CDT 2005

      Regards,

      Dario.

    • martyn's avatar
      martyn
      Icon for Altostratus rankAltostratus
      Oct 20, 2020
      Dario, Sure but whether I write the CEF format out once as a template or once doesn't make much difference. I was more contrasting it against the in built native ability to log to CEF that exists fro mthe AFM and ASM modules. Why is using a template better than using an HSL handle in an iRule? Is it a CPU or RAM usage item? I am not familiar enough with F5s and potential iRule overhead to know (yet). At the moment my logging is of the form: set hsl [HSL::open -proto UDP -pool MAR-syslog] . . . set curtime [clock seconds] set formattedtime [clock format $curtime -format { %b %d %T } ] HSL::send $hsl "$formattedtime $static::tcl_platform(machine) CEF:0|F5|BIG-IP|$static::tcl_platform(osVersion)|URIiRule|URI Blocking|Low| msg=Returning from irule---no match on URI or IP found" Martyn Roberts Vodafone/IBM Venture Swindon ISC 07881846887
    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for Noctilucent rankNoctilucent
      Oct 20, 2020

      Hello Martin.

       

      Actually request-logging should have a better performance.

      But any of both solutions are fine :-).

       

      If this was helpful, I'll appreciate if you mark my answer as the best to help me for the contribution.

       

      Regards,

      Dario.