Forum Discussion

yadgayan's avatar
yadgayan
Icon for Cirrus rankCirrus
Sep 21, 2023
Solved

iRule to log traffic details

Hi,

I want to log below information to syslog via iRule

Request headers including e.g. tap-*, X-* (e.g. X-Forwarded-For & X-Forwarded-Port )
src IP
src Port
request url
referral url
method
response
sessionid
x_uri (assume included from F5)
timestamp (ms granular)

Any one has iRule handy for this or covers partially? 

 

Thank you, 

application delivery
devops
security
  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Sep 21, 2023

    Hi yadgayan , 

    U can use this : 

    when HTTP_REQUEST {
    log local0. "HTTP Method = [HTTP::method]"
    log local0. "HTTP URI = [HTTP::uri]"
    log local0. "HTTP Path = [HTTP::path]"
    log local0. "HTTP Query = [HTTP::query]"
    log local0. "HTTP Version = [HTTP::version]"
    log local0. "HTTP Host Header = [HTTP::host]"
    log local0. "HTTP User Agent Header = [HTTP::header value "user-agent"]"
}
when HTTP_RESPONSE {
    log local0. "HTTP Status = [HTTP::status]"
    log local0. "HTTP version = [HTTP::version]"
    log local0. "HTTP Content Length Header = [HTTP::header value "content-length"]"
}

    - you can remove any info you don't want to log it. 
    refer to this Link to find our more : https://my.f5.com/manage/s/article/K42210592

    I haven't tested this irule , but it should work. 

    By the way : you can use High speed logging ( HSL ), it's pretty good to use : 
    https://my.f5.com/manage/s/article/K00847516

    I hope this helps u 🙂 

8 Replies

Sort By
  • LiefZimmerman's avatar
    LiefZimmerman
    Icon for Admin rankAdmin
    Sep 26, 2023

    yadgayan  - If your post was solved it would be helpful to the community to select Accept As Solution.
    Thanks for joining and being part of our community.

    • LiefZimmerman's avatar
      LiefZimmerman
      Icon for Admin rankAdmin
      Sep 26, 2023

      Since there was a bit of modification on the original suggestion I've also accepted your clarification as part of the solution.
      Thanks for following up.

  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Icon for MVP rankMVP
    Sep 21, 2023

    Hi yadgayan , 

    U can use this : 

    when HTTP_REQUEST {
    log local0. "HTTP Method = [HTTP::method]"
    log local0. "HTTP URI = [HTTP::uri]"
    log local0. "HTTP Path = [HTTP::path]"
    log local0. "HTTP Query = [HTTP::query]"
    log local0. "HTTP Version = [HTTP::version]"
    log local0. "HTTP Host Header = [HTTP::host]"
    log local0. "HTTP User Agent Header = [HTTP::header value "user-agent"]"
}
when HTTP_RESPONSE {
    log local0. "HTTP Status = [HTTP::status]"
    log local0. "HTTP version = [HTTP::version]"
    log local0. "HTTP Content Length Header = [HTTP::header value "content-length"]"
}

    - you can remove any info you don't want to log it. 
    refer to this Link to find our more : https://my.f5.com/manage/s/article/K42210592

    I haven't tested this irule , but it should work. 

    By the way : you can use High speed logging ( HSL ), it's pretty good to use : 
    https://my.f5.com/manage/s/article/K00847516

    I hope this helps u 🙂 

  • yadgayan's avatar
    yadgayan
    Icon for Cirrus rankCirrus
    Sep 21, 2023

    i added all into single. 

     

    when HTTP_REQUEST {

        log local0. "HTTP Method = [HTTP::method] Client = [IP::client_addr] HTTP URI = [HTTP::uri] HTTP Path = [HTTP::path] HTTP Query = [HTTP::query] HTTP Version = [HTTP::version] HTTP Host Header = [HTTP::host] HTTP User Agent Header = [HTTP::header value "user-agent"] Session_ID=[ACCESS::session data get session.user.sessionid] Assigned PPP Dynamic IPv4: [ACCESS::session data get session.assigned.clientip] NA Resource: [ACCESS::session data get session.assigned.resources.na] Client IP: [ACCESS::session data get session.user.clientip]"

    }

    when HTTP_RESPONSE {

        log local0. "HTTP Status = [HTTP::status] HTTP version = [HTTP::version] HTTP Content Length Header = [HTTP::header value "content-length"]"

    }

     

    will this cover all?

    • Mohamed_Ahmed_Kansoh's avatar
      Mohamed_Ahmed_Kansoh
      Icon for MVP rankMVP
      Sep 21, 2023

      yadgayan , 
      yes all in same irule , this will be good. 

      but monitor your system resources utilization ( CPU , Memory ) 

      Go to Statistics >>> Performance report >>>> then have a look in CPU & memory graphs and curves after adding this irule. 

      it's recommended to monitor that because irules consumes cpu cycles .

  • yadgayan's avatar
    yadgayan
    Icon for Cirrus rankCirrus
    Sep 22, 2023

    its working but how i log meta of a session (e.g. cookie, transaction)?