Forum Discussion

NzYme_68513's avatar
NzYme_68513
Icon for Nimbostratus rankNimbostratus
Dec 19, 2011

iRule to log MSRDP traffic to syslog server?

Kind of flying by the seat of pants here since I'm new to writing iRules. I'm trying to log RDP traffic and see if I can grab the user names of the people that have RDP sessions coming through the VIP. Once I have that I can start to manipulate the traffic. Am I on the right track?

 

 

 

 

when CLIENT_ACCEPTED {

 

Logging handle to syslog_pool

 

set hsl [HSL::open -proto UDP -pool pool_syslog]

 

Collect TCP Data

 

$rdpdata [TCP::collect]

 

HSL::send $hsl $rdpdata

 

}

 

 

 

application delivery
dev
devops
iRules

3 Replies

Sort By
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 19, 2011
    Hi,

     

     

    Here's an example from Jason for parsing the RDP data to get the username. You could start with that and add the HSL.

     

     

    http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/25271/showtab/groupforums/Default.aspx

     

     

    Aaron
  • NzYme_68513's avatar
    NzYme_68513
    Icon for Nimbostratus rankNimbostratus
    Dec 19, 2011
    How's this look to you guys?

     

     

    when CLIENT_ACCEPTED {

     

    Logging handle to syslog_pool

     

    set hsl [HSL::open -proto UDP -pool pool_syslog]

     

    Collect TCP Data

     

    TCP::collect 1024

     

    }

     

     

    when CLIENT_DATA {

     

    Dump data to HSL

     

    HSL::send $hsl [TCP::payload]

     

    TCP::release

     

    }
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Dec 20, 2011
    you can pre-parse to pull the username out and log that to save processing on the backside. That said, if the user doesn't submit their credentials at the initiation of the connection, you'll never see them.