F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Brian_Gibson_30's avatar
Brian_Gibson_30
Icon for Nimbostratus rankNimbostratus
15 years ago

Logging client connections to syslog

Hey all. New to the community but I have been managing numerous LTMs for a few years now. Due to a network design requirement, we are required to source-nat all connections to our LTMs. Because o...
management
monitoring
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
15 years ago
Hi Brian,

In 10.1.0 or higher, you could use HSL to log directly to an external pool of syslog servers. You could do one log send in CLIENT_CLOSED with the client IP:port, SNAT IP:port, server IP:port: 


 From: http://devcentral.f5.com/wiki/default.aspx/iRules/HSL__send.html
when CLIENT_ACCEPTED {
   set hsl [HSL::open -proto UDP -pool syslog_pool]
}
when SERVER_CONNECTED {
set log_line "[IP::client_addr]:[TCP::client_port] <-> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] [IP::local_addr]:[TCP::local_port] <-> [IP::server_addr]:[TCP::server_port]"
}
when CLIENT_CLOSED {
    Log connection details as local7.info; see RFC 3164 Section 4.1.1 - "PRI Part" for more info
   HSL::send $hsl "<190> $log_line"
}

In 9.4.0 - 10.0.x you could use 'log -remote' for this:

http://devcentral.f5.com/wiki/default.aspx/iRules/log

9.4.0 Added and parameters

Aaron