Forum Discussion
Mattmans1
Nimbostratus
NimbostratusLogging all VIP connections to syslog - Irule only?
Hi Guys, I have around 35 VIP's setup on my LTM - i have a requirement to log the original Source IP of the requesting client to a syslog server so we can audit who has been accessing the servers...
Its possible via iRule to capture client IP address but default F5 syslogs "/var/log/ltm" file will quickly fill. Assign below iRule to all VIPs.
when HTTP_REQUEST { log local0. "clientIP:[IP::client_addr] accessed [HTTP::host][HTTP::uri]" }Please review my old post: https://devcentral.f5.com/s/question/0D51T00006i7k94/capturing-source-ip-addresses-for-vip
Samir
MVP
MVPAbove iRule will work for HTTP connection. If you wanted to capture all connection date then go with below irule.
It will give complete picture
when SERVER_CONNECTED {
# This logs information about the TCP connections on *both* sides of the full proxy
set client_remote "[IP::client_addr]:[TCP::client_port]"
set client_local "[IP::local_addr clientside]:[TCP::local_port clientside]"
set server_local "[IP::local_addr]:[TCP::local_port]"
set server_remote "[IP::server_addr]:[TCP::server_port]"
log local0. "Got connection: Client($client_remote)<->($client_local)LTM($server_local)<->($server_remote)Server"
}Output will be like below.
<SERVER_CONNECTED>: Got connection: Client(101.3.3.20:33791)<->(10.2.4.111:80)LTM(10.1.1.110:33768)<->(10.3.5.200:8080)Server