Forum Discussion
NimbostratusiRule to log an output to syslog server.
Folks, I am looking for some changes to an iRule while will log an output to a syslog server directly. My iRule check if the connection is on TLS1.0 and if yes logs the client IP address.
The change I need is to log this client IP to a syslog server.
Here is the iRule: when HTTP_REQUEST { if { [SSL::cipher version] eq "TLSv1" } { log local0. "Webmail Client Source IP: [IP::client_addr]" } }
Thanks!!!! N.
PeteWhiteEmployee
You want to use HSL - high-speed logging. You can do that either to a pool ( of log servers ) or via a publisher. Below is an example to a pool but i'm sure you can work out how to send it to a publisher.
when HTTP_REQUEST { if { [SSL::cipher version] eq "TLSv1" } { set hsl [HSL::open -proto UDP -pool syslog_server_pool] HSL::send $hsl "Webmail Client Source IP: [IP::client_addr]" } }Take a look here for details of the HSL commands
- Kai_Wilke
MVP
Hi N.,
you may take a look to the
(High Speed Logging) iRule command. The command will bypass the local SYSLOG-NG environment and directly open a connection to your SYSLOG out of an iRule...[HSL]https://devcentral.f5.com/wiki/iRules.HSL.ashx
when CLIENT_ACCEPTED { Open a UDP based SYSLOG connection to your syslog server pool. set hsl [HSL::open -proto UDP -pool syslog_server_pool] } when HTTP_REQUEST { if { [SSL::cipher version] eq "TLSv1" } then { Log client IP as local7.info over the just created connection... HSL::send $hsl "<190> Webmail Client Source IP: [IP::client_addr]" } }Cheers, Kai
