Logging for iRule isn't working?

Question

Hello, &nbsp;
I want to output rejections for this iRule to a syslog server. My syntax is &nbsp;
when HTTP_REQUEST {
if { !(([HTTP::host] starts_with "website.co.uk") or ([HTTP::host] starts_with ";) or ([HTTP::host] starts_with "backup.mywebsite.co.uk") or ([HTTP::host] starts_with ";)) } {
discard }
{log local0. "blocked [HTTP::header "User-Agent"] requesting [HTTP::host][HTTP::uri]"}
}&nbsp;
I tried the following as well;&nbsp;
when HTTP_REQUEST {
if { !(([HTTP::host] starts_with "website.co.uk") or ([HTTP::host] starts_with ";) or ([HTTP::host] starts_with "backup.mywebsite.co.uk") or ([HTTP::host] starts_with ";)) } {
discard }
log local0. "blocked [HTTP::header "User-Agent"] requesting [HTTP::host][HTTP::uri]"
}&nbsp;
Which DID log but didn't show correctly in syslog. &nbsp;
Basically I want the syslog message to use the keyword 'blocked' to make searching easier. &nbsp;
Thanks&nbsp;

cjunior · Answer

Hi,
What about doing this way?
when HTTP_REQUEST { 
    switch -glob [string tolower [HTTP::host]] {
        "website.co.uk*" -
        "www.website.co.uk*" -
        "backup.mywebsite.co.uk*" -
        "www.backup.mywebsite.co.uk*" {
            nothing to do
        }
        default {
            log local0. "blocked [HTTP::header "User-Agent"] requesting [HTTP::host][HTTP::uri]"
            discard
        }
    }
}

It works for you? I hope so. 
Regards.

vernonwells · Answer

Do you really mean starts_with in these cases?  Since .uk is a top-level domain, I assume you are not expecting Host header entries for something like "website.co.uk.foo.bar.baz.com".  I ask because dropping the glob matching (and the asterisks at the end of the hostnames) makes the rule a bit faster, and I presume, more correct.
Also, log delivers to the local syslog facility on the BIG-IP, which (unless you changed the syslog.conf) means it is going to a local file on the BIG-IP.  If you want remote syslog, the best avenue is to use High Speed Logging from within your iRule:
High Speed Logging

vernon_97235 · Answer

Do you really mean starts_with in these cases?  Since .uk is a top-level domain, I assume you are not expecting Host header entries for something like "website.co.uk.foo.bar.baz.com".  I ask because dropping the glob matching (and the asterisks at the end of the hostnames) makes the rule a bit faster, and I presume, more correct.
Also, log delivers to the local syslog facility on the BIG-IP, which (unless you changed the syslog.conf) means it is going to a local file on the BIG-IP.  If you want remote syslog, the best avenue is to use High Speed Logging from within your iRule:
High Speed Logging

someguy_126006 · Answer

Have you tried, the below, where User-Agent is without quotes and has value?
when HTTP_REQUEST {
    if { !(([HTTP::host] starts_with "website.co.uk") or ([HTTP::host] starts_with "www.website.co.uk";) or ([HTTP::host] starts_with "backup.mywebsite.co.uk") or ([HTTP::host] starts_with "www.backup.mywebsite.co.uk";)) } { 
        log local0. "blocked [HTTP::header value User-Agent] requesting [HTTP::host][HTTP::uri]" 
        discard 
    } 
}

cjunior · Answer

For sure that for non-standard port, the "starts_with" is relevant to him.&nbsp;

Forum Discussion

Logging for iRule isn't working?

9 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

2026 301a exam

UCS Encryption Question

Unblock Request WAF

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

VIP in https that redirect to another vip in https

Related Content

Performance Logging iRule (Rule_http_log)

iRULE not working for ipfix log publisher.

Getting Started with iRules: Logging & Comments

Forwarding Logs to SIEM Tools via HTTP Proxy for F5 Distributed Cloud Global Log Receiver

irule logging question

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS