Forum Discussion

ToonVA's avatar
ToonVA
Icon for Cirrus rankCirrus
Jun 20, 2019

Log client source IP when connecting to TCP Virtual by iRule

Hi All,

I received the request if it is possible to log the client IP when connecting to the virtual IP.

We did this already based on an HTTP Virtual but now it's for an SMTP relay with regular TCP and so we can't attached the same iRule.

when HTTP_REQUEST {
    if { [info exists logged] && $logged == 1 }{
        # Do nothing. Already logged for this connection
    } else {
        set logged 1
        log "ClientIP Information, from [IP::remote_addr] to vip [IP::local_addr] Cipher [SSL::cipher name]:[SSL::cipher version]:[SSL::cipher bits] User-Agent:[HTTP::header "User-Agent"]"
    }
}

I tried to find something similar just for plain TCP but was not able to find it and therefor i come checking in with you guys.

Does someone has information on how we can achieve this? (iRule or other method)

BIG-IP
iRules
logging
security
  • Lee_Sutcliffe's avatar
    Lee_Sutcliffe
    Icon for Nacreous rankNacreous
    Jun 20, 2019
    when CLIENT_ACCEPTED {
    log local0. "Client IP:[IP::client_addr]"
}

     You'll need to do this in the CLIENT_ACCEPTED event as above

    • David_M's avatar
      David_M
      Icon for Cirrostratus rankCirrostratus
      Jun 24, 2019

      I dont know why I dont see my client connected firing at all!!

      • Lee_Sutcliffe's avatar
        Lee_Sutcliffe
        Icon for Nacreous rankNacreous
        Jun 24, 2019

        the CLIENT_ACCEPTED event triggers when a TCP three way handshake has been completed. If you're not seeing anything in the logs it may be because your ISP is multiplexing TCP connections. This is common if you have services behind Akamai for example.

  • Snl's avatar
    Snl
    Icon for Cirrostratus rankCirrostratus
    Jun 24, 2019

    you can try below as well

    when CLIENT_ACCEPTED {
        # Get time for start of TCP connection in milleseconds
        set tcp_start_time [clock clicks -milliseconds]
 
        # Log the start of a new TCP connection
        log local0. "New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]"
    }
 
    when LB_SELECTED {
        log local0. "Client [IP::client_addr]:[TCP::client_port]: Selected [LB::server]"
     }
     when SERVER_CONNECTED {
         log local0. "Client [IP::client_addr]:[TCP::client_port]: Connected to [IP::server_addr]:[TCP::server_port]"
     }
 
     when CLIENT_CLOSED {
         # Log the end time of the TCP connection
         log local0. "Closed TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port] (open for: [expr {[clock clicks -milliseconds] - $tcp_start_time}] ms)"
    }
    • David_M's avatar
      David_M
      Icon for Cirrostratus rankCirrostratus
      Jun 24, 2019

      So the client connected and accepted will give us the same info right?