For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Wahyudi_118345's avatar
Wahyudi_118345
Icon for Nimbostratus rankNimbostratus
Apr 24, 2015
Solved

Irule script to-log-all-traffic to RSA Security Analytics Server

Dear Team,

 

We have RSA Security Analytics Server ( Event Source Log Server) . Let's said the IP RSA server is 192.168.248.131 .

 

The RSA document said this is the sample irule :

 

log local0. "iRule c-ip=[IP::client_ addr]^^method=[ HTTP::- method]^^uri=[HTTP::uri]^^host=[HTTP::host]^^sip=[ LB::server addr]^^pool-name=[LB::server pool]^^sport=[ LB::server port]^^status=[HTTP::status]"

 

But when i created the irule , the syntax is error.

 

Could someone please help me how to create the correctly syntax so can send traffic log to RSA server ( the IP is 192.168.248.131) ?

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iRules
LTM
security
  • nitass_89166's avatar
    nitass_89166
    Apr 24, 2015

    can you try something like this?

    loghost is a syslog server pool e.g. 192.168.248.131:514.

    when CLIENT_ACCEPTED {
  set hsl [HSL::open -proto UDP -pool loghost]
}
when HTTP_REQUEST {
  set host [HTTP::host]
  set uri [HTTP::uri]
  set method [HTTP::method]
}
when HTTP_RESPONSE {
  HSL::send $hsl "iRule c-ip=[IP::client_addr]^^method=$method^^uri=$uri^^host=$host^^sip=[LB::server addr]^^pool-name=[LB::server pool]^^sport=[LB::server port]^^status=[HTTP::status]"
}

6 Replies

  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Apr 24, 2015

    can you try something like this?

    loghost is a syslog server pool e.g. 192.168.248.131:514.

    when CLIENT_ACCEPTED {
  set hsl [HSL::open -proto UDP -pool loghost]
}
when HTTP_REQUEST {
  set host [HTTP::host]
  set uri [HTTP::uri]
  set method [HTTP::method]
}
when HTTP_RESPONSE {
  HSL::send $hsl "iRule c-ip=[IP::client_addr]^^method=$method^^uri=$uri^^host=$host^^sip=[LB::server addr]^^pool-name=[LB::server pool]^^sport=[LB::server port]^^status=[HTTP::status]"
}
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 24, 2015

    can you try something like this?

    loghost is a syslog server pool e.g. 192.168.248.131:514.

    when CLIENT_ACCEPTED {
  set hsl [HSL::open -proto UDP -pool loghost]
}
when HTTP_REQUEST {
  set host [HTTP::host]
  set uri [HTTP::uri]
  set method [HTTP::method]
}
when HTTP_RESPONSE {
  HSL::send $hsl "iRule c-ip=[IP::client_addr]^^method=$method^^uri=$uri^^host=$host^^sip=[LB::server addr]^^pool-name=[LB::server pool]^^sport=[LB::server port]^^status=[HTTP::status]"
}
  • Mystic_142330's avatar
    Mystic_142330
    Icon for Nimbostratus rankNimbostratus
    Jul 07, 2015

    Hey guys...the solution by Nitas work. I'm having the same issue. I'm going based on what RSA is recommending for a syntax and my LTM ver 11.4.1 does not like this. I'm basically trying to send log traffic to one particular IP using RSA Secure Analytics