Forum Discussion
fhoek_29562
Nimbostratus
NimbostratusLog to syslogserver in reporting-ready format
Hi All,
I was wondering if anyone has made an irule that would send logging to a syslog server in a format and with content thats ready to be interpreted by a reporting server, like Webtrends.
Information should contain:
- Client IP
- Visited url/path
- If possible (dont think so) exit page
- Start time/date
- Duration of the visit
- Browserversion
- ...usual reporting stuff
Its fairly important to export the logging to an external system as Ram Cache will be used also and the logfiles on the webserver wont show the complete picture.
(It would run on a very busy system. I hope it wont affect production traffic too much.)
Thanks for your time to read this,
F.
3 Replies
hoolioCirrostratus
Hi,
There have been a few similar requests in the iRule forum (before this section was created). Try searching for 'log all connections' or similar key words in the iRule 9.x forum to find the related posts. Check the Codeshare for an example of how to use a rule to log connection details and configure syslog-ng to send the log entries to a remote syslog server.
Log HTTP, TCP, UDP connection details to syslog:
http://devcentral.f5.com/wiki/default.aspx/iRules/LogHttpTcpUdpToSyslogng.html
If you're using the RAM cache module, you'd need to add additional logic to the rule(s) using the CACHE:: commands and events to log the details for responses from cache. For more info on this, you can check the wiki pages:
CACHE:: commands:
http://devcentral.f5.com/wiki/default.aspx/iRules/cache
With that said, there is a limitation to what you can log with iRules regarding the processing time taken. The examples rules in the Codeshare link log the delta between when the HTTP request headers from the client are parsed and when the HTTP response headers from the server are parsed. There isn't a simple way of measuring the delta between when LTM receives the full request (including the payload) from the client and when it finishes sending the response back to the client. You can do this, but you end up having to collect the data before sending it. This collection adds latency to the process and would therefore not make sense to do.
Reply if you have any questions on this or want help writing a rule to handle cached and non-cache logging.
Aaron
Nicolas_MenantEmployee
A few more information about the logging
since v9.4.4 you can send straight from an iRule to a remote syslog server:
Note: it assumes 10.1.1.1 is a remote syslog server that is routable using a TMM VLAN:
when HTTP_REQUEST {
HTTP::collect 4096
}
when HTTP_REQUEST_DATA {
log 10.1.1.1 local0.info puts "HTTP POST data is [HTTP::payload]“}
}
The thing is by default you may end with messager larger than 1KB. They added a new db variable that allow larger messages: tmm.maxremoteloglength
Now doing everything from iRules may not always be the best for performance. I'm not sure about if it takes more processes or less to do it straight from an iRule
One more thing if you decide to go through syslog-ng since you said you have a high traffic application:
There is a significant behavioral difference when the optional . is specified. When iRule logs messages without the facility and/or level, they are rate-limited as a class and subsequently logged messages within the rate-limit period may be suppressed even though they are textually different. However, when the and/or are specified, the log messages are not rate-limited (though syslog-ng will still perform suppression of repeated duplicates).”
So use the log . when doing your job
fhoek_29562Thank you both guys,
The 2 answers combined answered my question.
As I installed the 9.4.4 I can do the direct logging to the syslog server, time will tell if the box will suffer from it. They are 2 6800's with 4 GB memory so they can have some load 8-)
