For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Brian_Gibson_30's avatar
Brian_Gibson_30
Icon for Nimbostratus rankNimbostratus
Dec 06, 2010

Logging client connections to syslog

Hey all. New to the community but I have been managing numerous LTMs for a few years now. Due to a network design requirement, we are required to source-nat all connections to our LTMs. Because o...
management
monitoring
nitass's avatar
nitass
Icon for Employee rankEmployee
Aug 06, 2011
[root@edelweiss:Active] config b version|grep -iA 1 version

 

BIG-IP Version 10.2.1 511.0

 

Hotfix HF3 Edition

 

 

[root@edelweiss:Active] config b virtual bar list

 

virtual bar {

 

snat automap

 

pool foo

 

destination 172.28.17.77:http

 

ip protocol tcp

 

rules myrule

 

}

 

 

[root@edelweiss:Active] config b rule myrule list

 

rule myrule {

 

when CLIENT_ACCEPTED {

 

set hsl [HSL::open -proto UDP -pool syslogpool]

 

}

 

when SERVER_CONNECTED {

 

set log_line "[IP::client_addr]:[TCP::client_port] <-> [clientside {IP::local_addr}]:[clientside {TCP::local_port}] [IP::local_addr]:[TCP::local_port] <-> [IP::server_addr]:[TCP::server_port]"

 

}

 

when CLIENT_CLOSED {

 

Log connection details as local7.info; see RFC 3164 Section 4.1.1 - "PRI Part" for more info

 

HSL::send $hsl "<190> $log_line"

 

}

 

}

 

 

[root@edelweiss:Active] config tail -f /var/log/ltm

 

[root@edelweiss:Active] config

 

 

C:\>nc -l -u -p 514

 

<190> 192.168.206.96:51759 <-> 172.28.17.77:80 10.10.72.70:51759 <-> 10.10.70.110:80

 

 

is it possible that your client connection closed before server_connect was triggered?

 

 

iRules HTTP Event Order Update

 

http://devcentral.f5.com/weblogs/jason/archive/2011/02/01/irules-http-event-order-update.aspx