Forum Discussion
gpoverland
Nimbostratus
NimbostratusIrule to log requests made to specific URL
ok,, trying to send logs to a syslog ng server to record what hosts are making requests to a specific URL. There are several extensions, so I have to send only the logs for a specific URI.. I'va compiled this from reading and looking around, but I usually come to the forum to provide a "sure this will work" or a "your out of your mind"... So please, take a look and let me know if I'm close.. hahahahaha thanks
when HTTP_REQUEST {
select the specific URI
if { [HTTP::uri] contains "\some\extension" }{
set the URL here
set url [HTTP::host][HTTP::uri]
set the client making the request here
set client [IP::client_addr]
}
log connection info
log 10.10.10.10 local0.info "Client: $client -> URL:$url"
}
8 Replies
gpoverlandCool thanks...- gpoverlandOk,, I implemented this IRULE last night and it doesn't appear to be sending the logs to the syslog server. I can't tell if its a criteria issue or a syslog issue, I have to do some checking.. But I was wondering if there was something else I needed to do, a step I missed.. for example, did I need to configure the remote syslog somewhere else before I implemented this IRULE?
Nicolas_MenantEmployee
what is your bigip version ?
you need to be in version 9.4.4 at least to be able to do it- gpoverland9.4.3 hahahahhaha dang... so what options do I have (besides upgrading)?
- Nicolas_Menantthe only option remaining will be to send your irule logging on a local facility which is not used
FYI local1 is used for enterprise manager and should log by default in /var/log/em
local2 -> GTM module /var/log/gtm
local3 -> ASM module /var/log/asm
Then you configure your syslog ng to send messages with this facility to a remote syslog server.
It will probably be less efficient but should work - gpoverlandInteresting.. Can't say that I've done that but let me see what it entails.. Thanks for the advice..
- Nicolas_MenantThose links may help you:
overview of syslog-ng.conf file : Click here
how to send to a remote syslog server: Click here - gpoverlandok,, got this configured but the logs are not being forwarded to the remote syslog... I used the bottom section of SQOL5527 any ideas?
Configuring the BIG-IP to send specific logs to remote servers
You can specify which log files the syslog utility should send to (rather than sending all traffic to a remote syslog server and parsing out only the log files you want to capture). This configuration reduces filtering overhead if only specific log filters are needed or required.
To configure the BIG-IP system to send specific logs to remote servers, perform the following procedure:
1. Log in to the command line.
2. Change directories to the /etc/syslog-ng/ directory by typing the following command:
cd /etc/syslog-ng/
3. Back up the current syslog-ng.conf file by typing the following command:
cp syslog-ng.conf syslog-ng.conf.original
4. Using a text editor, open the syslog-ng.conf file.
5. Locate the following syntax, which is located before the various log files and their options are specified:
options {
dir_perm(0755);
perm(0644);
chain_hostnames(no);
keep_hostname(yes);
stats(0);
log_fifo_size(2048);
};
source local {
unix-stream("/dev/log");
pipe("/proc/kmsg");
udp(ip(127.0.0.1) port(514));
udp(ip(127.2.0.2) port(514));
internal();
};
6. Add the following destination entry on a new line after the syntax in Step 5:
destination remote_server {
udp("x.x.x.x" port (514));
};
Note: Replace x.x.x.x with the IP address of the remote log server.
7. Locate the log section of the specific message section that you want to send to a remote server and update the destination option.
For example:
Add a remote destination server so all log information for the /var/log/ltm file will be recorded to the /var/log/ltm file and be sent to a remote server.
Original /var/log/ltm entry in syslog-ng.conf:
local0.* /var/log/ltm
filter f_local0 {
facility(local0) and level(debug..emerg);
};
filter f_no_audit {
not match("AUDIT");
};
destination d_ltm {
file("/var/log/ltm" create_dirs(yes));
};
log {
source(local);
filter(f_local0);
filter(f_no_audit);
destination(d_ltm);
};
Change the destination entry located under the log section to include the new destination filter created in Step 6:
local0.* /var/log/ltm
filter f_local0 {
facility(local0) and level(debug..emerg);
};
filter f_no_audit {
not match("AUDIT");
};
destination d_ltm {
file("/var/log/ltm" create_dirs(yes));
};
log {
source(local);
filter(f_local0);
filter(f_no_audit);
destination(d_ltm);
destination(remote_server);
};
8. Repeat Step 7 for each log file you want to send a copy of the log information to a remote log server.
9. Save the changes made to the syslog-ng.conf file.
10. Restart syslog-ng with the following command:
bigstart restart syslog-ng
