Forum Discussion

Tejaswini23_356's avatar
Tejaswini23_356
Icon for Nimbostratus rankNimbostratus
Mar 19, 2018

Irule to log specific client IP to a syslog server

I need an irule to send out all the logs of 3 specific client IP's hitting a VIP to a syslog server.

 

Any help would be much appreciated!

 

application delivery
iRules
LTM
  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for Noctilucent rankNoctilucent
    Mar 20, 2018

    You can customize the way you want... Its going to be basic logging. You can create a DataGroup & add the IP's too. Then use the class match & verify with the DGL as well.

    when CLIENT_ACCEPTED {
set client [IP::client_addr]
if { ( [IP::addr [IP::client_addr] equals 10.10.10.10] ) or ( [IP::addr [IP::client_addr] equals 20.20.20.20] ) or ( [IP::addr [IP::client_addr] equals 30.30.30.30] ) } {
log local0. "Client: $client has established a connection"      
 }
}

when HTTP_REQUEST {
set client_info [IP::client_addr]:[TCP::client_port]
set url [HTTP::header Host][HTTP::uri]
if { ( [IP::addr [IP::client_addr] equals 10.10.10.10] ) or ( [IP::addr [IP::client_addr] equals 20.20.20.20] ) or ( [IP::addr [IP::client_addr] equals 30.30.30.30] ) } {
log local0. "Client Source IP: $client_info is requesting URL: $url " 
}
}


when SERVER_CONNECTED {
set pool_name [LB::server pool]
if { ( [IP::addr [IP::client_addr] equals 10.10.10.10] ) or ( [IP::addr [IP::client_addr] equals 20.20.20.20] ) or ( [IP::addr [IP::client_addr] equals 30.30.30.30] ) } { 
log local0. "Client Source IP: [IP::client_addr]:[TCP::client_port] <--> POOL : $pool_name <--> ACTUALNODE <--> [IP::server_addr]:[TCP::server_port]" 
} 
}
  • sstafford's avatar
    sstafford
    Icon for Nimbostratus rankNimbostratus
    Mar 21, 2018

    You'll have to customise the rule below to add the events you are interested in, but you can use the format as a guide;

     

    Notes: This presumes you have created a "MyThreeIps" DataGroup in the /Common partition that includes the three client addresses you are interested in.

     

    It also presumes that you have added a pool in /Common that consists of one or more syslog servers for use with HSL. IF not, then comment out the hsl lines and uncomment the "log local" lines

     

    when CLIENT_ACCEPTED { set hsl [HSL::open -proto UDP -pool /Common/syslog] log local0. "HSLocal $hsl"

     

    }

     

    when SERVER_CONNECTED { if { ([class match [IP::client_addr] equals /Common/MyThreeIps]) } { set FrontEnd "[IP::client_addr]:[TCP::client_port] <-> [clientside {IP::local_addr}]:[clientside {TCP::local_port}]" set BackEnd "[IP::local_addr]:[TCP::local_port] <-> [serverside {IP::remote_addr}]:[TCP::server_port]" Log connection details as local7.info; see RFC 3164 Section 4.1.1 - "PRI Part" for more info HSL::send $hsl "<190> LDAP HSL: $FrontEnd | $BackEnd" test by logging locally log local0. "$FrontEnd $BackEnd" log local0. "$hsl"

     

    } }