iRule to log MSRDP traffic to syslog server?

Question

Kind of flying by the seat of pants here since I'm new to writing iRules. I'm trying to log RDP traffic and see if I can grab the user names of the people that have RDP sessions coming through the VIP. Once I have that I can start to manipulate the traffic. Am I on the right track?

when CLIENT_ACCEPTED {

Logging handle to syslog_pool

set hsl [HSL::open -proto UDP -pool pool_syslog]

Collect TCP Data

$rdpdata [TCP::collect]

HSL::send $hsl $rdpdata

}

hooleylist · Answer

Hi, 
&nbsp;  
&nbsp; Here's an example from Jason for parsing the RDP data to get the username.  You could start with that and add the HSL. 
&nbsp;  
&nbsp; http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/25271/showtab/groupforums/Default.aspx 
&nbsp;  
&nbsp; Aaron

nzyme_68513 · Answer

How's this look to you guys? 
&nbsp;  
&nbsp; when CLIENT_ACCEPTED {   
&nbsp; Logging handle to syslog_pool  
&nbsp; set hsl [HSL::open -proto UDP -pool pool_syslog] 
&nbsp; Collect TCP Data 
&nbsp; TCP::collect 1024 
&nbsp; } 
&nbsp;  
&nbsp; when CLIENT_DATA { 
&nbsp; Dump data to HSL  
&nbsp; HSL::send $hsl [TCP::payload] 
&nbsp; TCP::release 
&nbsp; }

jrahm · Answer

you can pre-parse to pull the username out and log that to save processing on the backside. That said, if the user doesn't submit their credentials at the initiation of the connection, you'll never see them.

Forum Discussion

iRule to log MSRDP traffic to syslog server?

Recent Discussions

ports are showing open on online scanning tool

Upgrade F5 BIGIP

DNS HM Probe issue

Is XFF a must for ASM WAF DoS

Switch ssl profile based on weak cipher detection via IRULE

Related Content

Logging TLS traffic less than TLSv1.2

Traffic Shaping and Atlassian Jira

Need to Transfer Server Connection log to a Syslog Server

VIP for syslog traffic

Floating IPs on new traffic group members

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS