Forum Discussion
Brian_Gibson_30
Nimbostratus
NimbostratusLogging client connections to syslog
Hey all. New to the community but I have been managing numerous LTMs for a few years now. Due to a network design requirement, we are required to source-nat all connections to our LTMs. Because o...
hoolio
Cirrostratus
CirrostratusHi Brian,
In 10.1.0 or higher, you could use HSL to log directly to an external pool of syslog servers. You could do one log send in CLIENT_CLOSED with the client IP:port, SNAT IP:port, server IP:port:
From: http://devcentral.f5.com/wiki/default.aspx/iRules/HSL__send.html
when CLIENT_ACCEPTED {
set hsl [HSL::open -proto UDP -pool syslog_pool]
}
when SERVER_CONNECTED {
set log_line "[IP::client_addr]:[TCP::client_port] <-> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] [IP::local_addr]:[TCP::local_port] <-> [IP::server_addr]:[TCP::server_port]"
}
when CLIENT_CLOSED {
Log connection details as local7.info; see RFC 3164 Section 4.1.1 - "PRI Part" for more info
HSL::send $hsl "<190> $log_line"
}
In 9.4.0 - 10.0.x you could use 'log -remote' for this:
http://devcentral.f5.com/wiki/default.aspx/iRules/log
9.4.0 Added and parameters
Aaron
