Altostratus

Oct 08, 2020

iRule HSL logging question with user specified text

I wish to log via HSL a mesage that contains some repeatable text as well as some user generated text. so one of two ways to get text generated I can see. But I some issues with each method. #1: Use ...

Oct 20, 2020

Hello Martin.

With a request-logging profile you can set any kind of format in the template field.

An example of CEF format:

CEF:0|F5|MyEnv|1|sip=$CLIENT_IP sprt=$CLIENT_PORT snatip=$SNAT_IP snatprt=$SNAT_PORT dstip=$SERVER_IP dstprt=$SERVER_PORT dhost=$BIGIP_HOSTNAME apm=$X_APM

Where 'X_APM can be configured injecting an HTTP header:

when HTTP_REQUEST {
	HTTP::header replace X_APM [ACCESS::session data get session.custom.name]
}
when HTTP_REQUEST_RELEASE {
	HTTP::header remove X_APM
}

---

In case you still want to use an iRule, you can get those parameters with:

1) Hostname

$static::tcl_platform(machine)

2) Time

set curtime [clock seconds]
set formattedtime [clock format $curtime]
log "$curtime seconds since epoch, $formattedtime"

Output: 1129552706 seconds since epoch, Mon Oct 17 07:38:26 CDT 2005

Regards,

Dario.

Dario_Garrido

MVP

Oct 19, 2020

Hello Martin.

It's better to use a request logging profile.

https://support.f5.com/csp/article/K00847516

You can add extra variables injecting HTTP headers into the HTTP_REQUEST and referencing them with the same name of the header:

$BIGIP_HOSTNAME $Host ${X-Forwarded-For} ...

If you want to avoid sending those headers to the backend server, you can remove them again using this event:

https://clouddocs.f5.com/api/irules/HTTP-REQUEST-RELEASE.html

Regards,

Dario.

martin1
Altostratus
Oct 19, 2020
Thanks, Not sure that would work in this case. What I need to simulate is the CEF logging format and that is not available from a native profile format choice, plus the data I need to pass in (some arbitrary data). If in effect I am manually writing the CEF formatted message out by a number of profile objects/variables and as well a HTTP header variable(s) or two as data place holders I pretty much may as well just manually create the whole thing via HSL as I am currently. However some (most) of the data that I want is matched from data available in a logging profile, This I am currently getting it from TCL calls, Should they have too great a performance hit I may well see if your proposal would alleviate that. I also didn't know of (think of) using HTTP_REQUEST like that. Interesting and devious I will file that one away, thank you. Martyn Roberts Vodafone/IBM Venture Swindon ISC 07881846887
- Dario_Garrido
  MVP
  Oct 20, 2020
  Hello Martin.
  With a request-logging profile you can set any kind of format in the template field.
  An example of CEF format:
  CEF:0|F5|MyEnv|1|sip=$CLIENT_IP sprt=$CLIENT_PORT snatip=$SNAT_IP snatprt=$SNAT_PORT dstip=$SERVER_IP dstprt=$SERVER_PORT dhost=$BIGIP_HOSTNAME apm=$X_APM
  Where 'X_APM can be configured injecting an HTTP header:
  when HTTP_REQUEST { HTTP::header replace X_APM [ACCESS::session data get session.custom.name] } when HTTP_REQUEST_RELEASE { HTTP::header remove X_APM }
  ---
  In case you still want to use an iRule, you can get those parameters with:
  1) Hostname
  $static::tcl_platform(machine)
  2) Time
  set curtime [clock seconds] set formattedtime [clock format $curtime] log "$curtime seconds since epoch, $formattedtime"
  Output: 1129552706 seconds since epoch, Mon Oct 17 07:38:26 CDT 2005
  Regards,
  Dario.
- martin1
  Altostratus
  Oct 20, 2020
  Dario, Sure but whether I write the CEF format out once as a template or once doesn't make much difference. I was more contrasting it against the in built native ability to log to CEF that exists fro mthe AFM and ASM modules. Why is using a template better than using an HSL handle in an iRule? Is it a CPU or RAM usage item? I am not familiar enough with F5s and potential iRule overhead to know (yet). At the moment my logging is of the form: set hsl [HSL::open -proto UDP -pool MAR-syslog] . . . set curtime [clock seconds] set formattedtime [clock format $curtime -format { %b %d %T } ] HSL::send $hsl "$formattedtime $static::tcl_platform(machine) CEF:0|F5|BIG-IP|$static::tcl_platform(osVersion)|URIiRule|URI Blocking|Low| msg=Returning from irule---no match on URI or IP found" Martyn Roberts Vodafone/IBM Venture Swindon ISC 07881846887
- Dario_Garrido
  MVP
  Oct 20, 2020
  Hello Martin.
  
  Actually request-logging should have a better performance.
  But any of both solutions are fine :-).
  
  If this was helpful, I'll appreciate if you mark my answer as the best to help me for the contribution.
  
  Regards,
  Dario.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

iRule HSL logging question with user specified text

Recent Discussions

MAC address of deleted VS IP address still responsive

ports are showing open on online scanning tool

how to whitelist new source IP on F5 web UI access

TMSH Command to list ASM policies not attached to any virtual servers in all partitions

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Related Content

irule logging question

Force BotDefense Captcha on Specified URL

Reminder: MFA now required to log in to DevCentral

how to specify partition in bigrest delete()?

Global Log Receiver

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS