Forum Discussion
Logging all traffic iRule.
Hello,
I have the following iRule for logging all traffic:
when CLIENT_ACCEPTED {
set vip [IP::local_addr]:[TCP::local_port]
}
when SERVER_CONNECTED {
set client "[IP::client_addr]:[TCP::client_port]"
set node "[IP::server_addr]:[TCP::server_port]"
set snat "[IP::local_addr]:[TCP::local_port]"
}
when CLIENT_CLOSED {
log connection info
log local0.info "Client $client -> VIP: $vip -> SNAT: $snat -> Node: $node"
}
I have tested this on a virtual F5 which worked fine, however for some reason on a production LTM, I get the following error in the logs:
TCL error: /Common/Source_IP_Logging - can't read "client": no such variable while executing "log local0.info "Client $client -> VIP: $vip -> SNAT: $snat -> Node: $node""
From time to time it works fine on the production one as well. 1. Should I try to move my client variable definition to "when CLIENT_ACCEPTED" section? 2. Should I use double quotes for variable definition, or make all of them like the "vip" one?
Regards
Mariusz
- Michael_Jenkins
Cirrostratus
SERVER_CONNECTED is an event that's fired when the LTM makes a connection to the backend node, so if the client connects and disconnects before the LTM ever makes a connection to the backend, you won't have those variables.
I'd recommend moving at least the
andclient
variables to the CLIENT_ACCEPTED event. Thesnat
won't be available until the server connects, but you could initialize the variable in the client accepted event to some default value and then update it's value when the server connect happens.node
- Mariusz_B
Nimbostratus
Thank you Michael.
I have done something like this, and I am about to test it in next few days:
when CLIENT_ACCEPTED { set client "[IP::client_addr]:[TCP::client_port]" set vip "[IP::local_addr]:[TCP::local_port]" set snat "unknown" set node "unknown" } when SERVER_CONNECTED { set snat "[IP::local_addr]:[TCP::local_port]" set node "[IP::server_addr]:[TCP::server_port]" } when CLIENT_CLOSED { log connection info log local0.info "Client $client -> VIP: $vip -> SNAT: $snat -> Node: $node" }
- Snl
Cirrostratus
I have a similar requirement , were customer is using automap and want to enable logging for specific virtual server to capture all sessions , its not working since unknown keyword matching in snat & node side , also virtual server is running on port smtp so i cannot add http profile
Code when CLIENT_ACCEPTED { set client "[IP::client_addr]:[TCP::client_port]" set vip "[IP::local_addr]:[TCP::local_port]" set snat "unknown" set node "unknown" } when SERVER_CONNECTED { set snat "[IP::local_addr]:[TCP::local_port]" set node "[IP::server_addr]:[TCP::server_port]" } when CLIENT_CLOSED { log connection info log local0.info "Client $client -> VIP: $vip -> SNAT: $snat -> Node: $node" }
any help appreciated
/snl
i think it is wiser to start a new question.
and explain what you mean with unknown is matching, if unknown is shown that is for a reason then those fields aren't known yet when the log occurs.
also you don't need a HTTP profile for any of these irule statements, it is all TCP or lower.
- Rich_T_187288
Nimbostratus
Hi Michael J,
Would you mind checking the above and let us know if the above example is suitable please?
Thanks.
- Michael_Jenkins
Cirrostratus
Syntactically I think it looks good. I'm not near a device to check it, but it looks good to me. - Rich_T_187288
Nimbostratus
Hi Michael, Great, thanks for giving it a look over. :)
- YossiV
Nimbostratus
i have tested your irule on my Virtual F5 and my 4000 , it passed fine.
- Nithin1
Nimbostratus
Can i Have the Exact Irule for this ?
- BIBEK
Nimbostratus
What is the irule for log header only from one IP.
- Greasy_PretzelRet. Employee
Unless this is for debugging purposes, log your traffic but it is not the best approach. Better option is taking a capture. If you have to use the iRule, then after debugging, please comment the log local.0 or remove the iRule from the virtual server. You don't want to fill up your LTM logs that are meant for system logs.
- Greasy_PretzelRet. Employee
to add 'add http profile' you will need to add when HTTP_REQUEST event.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com