For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mazen2006_14317's avatar
Mazen2006_14317
Icon for Nimbostratus rankNimbostratus
Feb 17, 2014

iRule to log HTTP request as Apache combined standard format

Hello,

 

I need to log HTTP request and response as Apache combined standard format like this:

 

LogFormat "%h %{X-ReqTime}o %D %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

 

How to write this as an iRule code.

 

Yours,

 

application delivery
deployment
design
devops
iRules
LTM

15 Replies

Show More
  • Mazen2006_14317's avatar
    Mazen2006_14317
    Icon for Nimbostratus rankNimbostratus
    Mar 12, 2014

    Here are the results of the two commands:

         tmsh list sys syslog
sys syslog {
    include "destination remote_server {tcp(10.100.100.13 port (514));};filter f                                              _alllogs {level (debug...emerg);};log {source(local);filter(f_alllogs);destinati                                              on(remote_server);};"
    remote-servers {
        remotesyslog1 {
            host 10.100.100.13
            local-ip 172.19.208.17
        }
    }
}

 tmsh list sys syslog all-properties
sys syslog {
    auth-priv-from notice
    auth-priv-to emerg
    console-log enabled
    cron-from warning
    cron-to emerg
    daemon-from notice
    daemon-to emerg
    description none
    include "destination remote_server {tcp(10.100.100.13 port (514));};filter f_alllogs {level (debug...emerg);};log {source(local);filter(f_alllogs);destination(remote_server);};"
    iso-date disabled
    kern-from notice
    kern-to emerg
    local6-from notice
    local6-to emerg
    mail-from notice
    mail-to emerg
    messages-from notice
    messages-to warning
    remote-servers {
        remotesyslog1 {
            description none
            host 10.100.100.13
            local-ip 172.19.208.17
            remote-port 514
        }
    }
    user-log-from notice
    user-log-to emerg
}
  • Mazen2006_14317's avatar
    Mazen2006_14317
    Icon for Nimbostratus rankNimbostratus
    Mar 18, 2014

    Hello,

    I discover that we loose some logs using the log local0. command. it seems due to the UDP protocol. I need to send log to syslog by TCP. I update my irule by using the HSL command. Can i specify the source IP from which the syslog receives the logs? What is the default source IP when nothing is precised?

    when HTTP_REQUEST { set host [HTTP::host]
    set username [HTTP::username]
    set client_IP [IP::client_addr]
    set request "\"[HTTP::method] [HTTP::uri] HTTP/[HTTP::version]\""
    set request_time [clock clicks -milliseconds]
    set referer [HTTP::header "Referer"]
    set ua [HTTP::header "User-Agent"]
    set xff [HTTP::header "X-Forwarded-For"]
}
when HTTP_RESPONSE {
    set response_time [expr [clock clicks -milliseconds] - $request_time]
    set now [clock format [clock seconds] -format "%d/%b/%Y:%H:%M:%S %z"]
    set contentlength [HTTP::header "Content-Length"]
    set status [HTTP::status]

    HSL::send [HSL::open -proto TCP -pool /CLI01_COPR/POOL_SYSLOG] "$host $client_IP $username $now $request $status $contentlength \"$referer\" \"$ua\" \"$xff\" $response_time" 
}

    This irule is used by the VS whith the address 172.19.143.2%201:81. POOL_SYSLOG has one member, the node: 10.100.100.13:514.

    Please help!