Log to syslogserver in reporting-ready format

Question

Hi All,&nbsp;
&nbsp;I was wondering if anyone has made an irule that would send logging to a syslog server in a format and with content thats ready to be interpreted by a reporting server, like Webtrends.&nbsp;
&nbsp;Information should contain:
&nbsp;- Client IP
&nbsp;- Visited url/path
&nbsp;- If possible (dont think so) exit page
&nbsp;- Start time/date
&nbsp;- Duration of the visit
&nbsp;- Browserversion
&nbsp;- ...usual reporting stuff&nbsp;
&nbsp;Its fairly important to export the logging to an external system as Ram Cache will be used also and the logfiles on the webserver wont show the complete picture.&nbsp;
&nbsp;(It would run on a very busy system. I hope it wont affect production traffic too much.)&nbsp;
&nbsp;Thanks for your time to read this,
&nbsp;F.

hoolio · Answer

Hi,&nbsp;
&nbsp;There have been a few similar requests in the iRule forum (before this section was created).  Try searching for 'log all connections' or similar key words in the iRule 9.x forum to find the related posts.  Check the Codeshare for an example of how to use a rule to log connection details and configure syslog-ng to send the log entries to a remote syslog server.  &nbsp;
&nbsp;Log HTTP, TCP, UDP connection details to syslog:
&nbsp;http://devcentral.f5.com/wiki/default.aspx/iRules/LogHttpTcpUdpToSyslogng.html&nbsp;
&nbsp;If you're using the RAM cache module, you'd need to add additional logic to the rule(s) using the CACHE:: commands and events to log the details for responses from cache.  For more info on this, you can check the wiki pages:&nbsp;
&nbsp;CACHE:: commands:
&nbsp;http://devcentral.f5.com/wiki/default.aspx/iRules/cache&nbsp;
&nbsp;With that said, there is a limitation to what you can log with iRules regarding the processing time taken.  The examples rules in the Codeshare link log the delta between when the HTTP request headers from the client are parsed and when the HTTP response headers from the server are parsed.  There isn't a simple way of measuring the delta between when LTM receives the full request (including the payload) from the client and when it finishes sending the response back to the client.  You can do this, but you end up having to collect the data before sending it.  This collection adds latency to the process and would therefore not make sense to do.&nbsp;
&nbsp;Reply if you have any questions on this or want help writing a rule to handle cached and non-cache logging.&nbsp;
&nbsp;Aaron

nicolas_menant · Answer

A few more information about the logging&nbsp;
&nbsp;since v9.4.4 you can send straight from an iRule to a remote syslog server: &nbsp;
&nbsp;Note: it assumes 10.1.1.1 is a remote syslog server that is routable using a TMM VLAN:&nbsp;
&nbsp;when HTTP_REQUEST {
&nbsp;HTTP::collect 4096
&nbsp;}&nbsp;
&nbsp;when HTTP_REQUEST_DATA {&nbsp;
&nbsp;log 10.1.1.1 local0.info puts "HTTP POST data is [HTTP::payload]“}
&nbsp;}&nbsp;
&nbsp;The thing is by default you may end with messager larger than 1KB. They added a new db variable that allow larger messages: tmm.maxremoteloglength &nbsp;
&nbsp;Now doing everything from iRules may not always be the best for performance. I'm not sure about if it takes more processes or less to do it straight from an iRule&nbsp;
&nbsp;One more thing if you decide to go through syslog-ng since you said you have a high traffic application:&nbsp;
&nbsp;There is a significant behavioral difference when the optional . is specified. When iRule logs messages without the facility and/or level, they are rate-limited as a class and subsequently logged messages within the rate-limit period may be suppressed even though they are textually different. However, when the  and/or  are specified, the log messages are not rate-limited (though syslog-ng will still perform suppression of repeated duplicates).”&nbsp;
&nbsp;So use the log . when doing your job&nbsp;&nbsp;

fhoek_29562 · Answer

Thank you both guys,
&nbsp;The 2 answers combined answered my question.&nbsp;
&nbsp;As I installed the 9.4.4 I can do the direct logging to the syslog server, time will tell if the box will suffer from it. They are 2 6800's with 4 GB memory so they can have some load 8-)&nbsp;&nbsp;

Forum Discussion

Log to syslogserver in reporting-ready format

3 Replies

AppWorld Berlin iRules Contest!

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

Recent Discussions

SSL Forward Proxy, iRules and Client Hello

monitor/healthcheck issue with envoy gateway

Recommendation for Adv. Lab

Changes to DO and AS3 GitHub - no longer monitored

How to Verify config before loading to F5

Related Content

X509 Subject Formatting

iRules Data Group Formatting Rules

Formatted Logging For W3c

Format objectGUID attribute from hexadecimal to bindable string (hyphen-separated format)

Import certificate as pfx format

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS