Forum Discussion

Mattmans1's avatar
Icon for Nimbostratus rankNimbostratus
Jun 30, 2020

Logging all VIP connections to syslog - Irule only?

Hi Guys,


I have around 35 VIP's setup on my LTM - i have a requirement to log the original Source IP of the requesting client to a syslog server so we can audit who has been accessing the servers by querying the syslog messages. If i take the LTM log file below, is all the connections to VIP's logged to this file by default? if so would it be the original src/dst or the src/dst after its been "Snat" and "Dnat" by the LTM?



local traffic / The local traffic messages pertain specifically to the BIG-IP local traffic management events ./var/log/ltm



I have been told you can only log traffic events to VIP's using an Irule but i'm not sure i this is true? can anyone clarify please?


3 Replies

    • Mattmans1's avatar
      Icon for Nimbostratus rankNimbostratus

      Hello Samir,


      Thankyou so much, just what i was looking for. Do you know if this is the same as configuring a HTTP profile? Would it do the same thing?


      Am i also right in thinking that if you had a custom VIP for a random SSH jump server that you would have to use an irule to log that since you cant use a HTTP profile?

  • Above iRule will work for HTTP connection. If you wanted to capture all connection date then go with below irule.

    It will give complete picture

      # This logs information about the TCP connections on *both* sides of the full proxy
      set client_remote "[IP::client_addr]:[TCP::client_port]"
      set client_local  "[IP::local_addr clientside]:[TCP::local_port clientside]"
      set server_local  "[IP::local_addr]:[TCP::local_port]"
      set server_remote "[IP::server_addr]:[TCP::server_port]"
      log local0. "Got connection: Client($client_remote)<->($client_local)LTM($server_local)<->($server_remote)Server"

    Output will be like below.

    <SERVER_CONNECTED>: Got connection: Client(<->(<->(