For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Brian_Gibson_30's avatar
Brian_Gibson_30
Icon for Nimbostratus rankNimbostratus
Dec 06, 2010

Logging client connections to syslog

Hey all. New to the community but I have been managing numerous LTMs for a few years now.

Due to a network design requirement, we are required to source-nat all connections to our LTMs. Because of this we are unable to determine what time a specific client IP connected to our servers.

 

 

 

What we would like to do is send out syslog messages for each new socket and each reset. Our system is socket oriented and our customers generally stay on the same socket for hours, if not days. So it shouldn't be a lot of traffic. However I can't seem to figure out how to get the boxes to send out this information.

 

 

 

I would prefer not to log this information locally as it is just a disk space waster on LTM.

 

 

 

Thanks in advance for any advice.

 

management
monitoring

7 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 06, 2010
    Hi Brian,

    In 10.1.0 or higher, you could use HSL to log directly to an external pool of syslog servers. You could do one log send in CLIENT_CLOSED with the client IP:port, SNAT IP:port, server IP:port: 

    
 From: http://devcentral.f5.com/wiki/default.aspx/iRules/HSL__send.html
when CLIENT_ACCEPTED {
   set hsl [HSL::open -proto UDP -pool syslog_pool]
}
when SERVER_CONNECTED {
set log_line "[IP::client_addr]:[TCP::client_port] <-> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] [IP::local_addr]:[TCP::local_port] <-> [IP::server_addr]:[TCP::server_port]"
}
when CLIENT_CLOSED {
    Log connection details as local7.info; see RFC 3164 Section 4.1.1 - "PRI Part" for more info
   HSL::send $hsl "<190> $log_line"
}

    In 9.4.0 - 10.0.x you could use 'log -remote' for this:

    http://devcentral.f5.com/wiki/default.aspx/iRules/log

    9.4.0 Added and parameters

    Aaron
  • David_Noonan_67's avatar
    David_Noonan_67
    Icon for Nimbostratus rankNimbostratus
    Aug 05, 2011
    The above script didn't work for me (LTM 10.2.1) until I tweaked it a bit. 

     From: http://devcentral.f5.com/wiki/default.aspx/iRules/HSL__send.html
when CLIENT_ACCEPTED {
  set hsl [HSL::open -proto UDP -pool syslog-pool]
}
when SERVER_CONNECTED {
  set FrontEnd "[IP::client_addr]:[TCP::client_port] <-> [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
  set BackEnd  "[IP::local_addr]:[TCP::local_port] <-> [serverside {IP::remote_addr}]:[TCP::server_port]"
   Log connection details as local7.info; see RFC 3164 Section 4.1.1 - "PRI Part" for more info
  HSL::send $hsl "<190> HSL: $FrontEnd | $BackEnd"
}

    1. With the HSL::send in the CLIENT_CLOSED event I got "TCL error: connection_logging-rule - can't read "log_line": no such variable while executing "HSL::send $hsl "<190> $log_line". It was fine once I moved it to SERVER_CONNECTED.

    2. "[IP::server_addr]" was giving me the VS address instead of the back-end server IP so I changed it to "[serverside {IP::remote_addr}]".

    I also broke the log line into two parts just for clarity.

    Now it generates a local7.info life that looks like

    HSL: 10.3.225.11:3961 <-> 10.13.171.14:80 | 10.3.225.11:3961 <-> 10.13.17.44:80

    • James_124570's avatar
      James_124570
      Icon for Nimbostratus rankNimbostratus
      Oct 21, 2015
      Is it really a good idea to attach an iRule to that scans every packet to a production virtual server? There has to be a better. Just my thoughts.
    • vlad94103_22344's avatar
      vlad94103_22344
      Icon for Nimbostratus rankNimbostratus
      Sep 26, 2016

      Bump up. Re: Logging the sessions with session ID binding the server- and client- sides.

       

  • David_Noonan_67's avatar
    David_Noonan_67
    Icon for Nimbostratus rankNimbostratus
    Aug 05, 2011
    Does anyone know of any issues that might be caused by moving the logging to SERVER_CONNECTED?

     

     

    Any idea why I was getting the "can't read 'log_line'" message?

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 06, 2011
    [root@edelweiss:Active] config b version|grep -iA 1 version

     

    BIG-IP Version 10.2.1 511.0

     

    Hotfix HF3 Edition

     

     

    [root@edelweiss:Active] config b virtual bar list

     

    virtual bar {

     

    snat automap

     

    pool foo

     

    destination 172.28.17.77:http

     

    ip protocol tcp

     

    rules myrule

     

    }

     

     

    [root@edelweiss:Active] config b rule myrule list

     

    rule myrule {

     

    when CLIENT_ACCEPTED {

     

    set hsl [HSL::open -proto UDP -pool syslogpool]

     

    }

     

    when SERVER_CONNECTED {

     

    set log_line "[IP::client_addr]:[TCP::client_port] <-> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] [IP::local_addr]:[TCP::local_port] <-> [IP::server_addr]:[TCP::server_port]"

     

    }

     

    when CLIENT_CLOSED {

     

    Log connection details as local7.info; see RFC 3164 Section 4.1.1 - "PRI Part" for more info

     

    HSL::send $hsl "<190> $log_line"

     

    }

     

    }

     

     

    [root@edelweiss:Active] config tail -f /var/log/ltm

     

    [root@edelweiss:Active] config

     

     

    C:\>nc -l -u -p 514

     

    <190> 192.168.206.96:51759 <-> 172.28.17.77:80 10.10.72.70:51759 <-> 10.10.70.110:80

     

     

    is it possible that your client connection closed before server_connect was triggered?

     

     

    iRules HTTP Event Order Update

     

    http://devcentral.f5.com/weblogs/jason/archive/2011/02/01/irules-http-event-order-update.aspx
  • vlad94103_22344's avatar
    vlad94103_22344
    Icon for Nimbostratus rankNimbostratus
    Sep 26, 2016

    Bumping up. Logging the sessions with session ID binding the server- and client- sides.