For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ah_Fat_2262's avatar
Ah_Fat_2262
Icon for Nimbostratus rankNimbostratus
Mar 31, 2012

Logging Of Traffic Logs For HTTP Connection

Hi, I would like to log the traffic log of a certain IP HTTP connection. Can iRule achieve that?. If yes, please advice. Thks and Rgds
application delivery
dev
devops
iRules

6 Replies

  • Ah_Fat_2262's avatar
    Ah_Fat_2262
    Icon for Nimbostratus rankNimbostratus
    Mar 31, 2012
    Hi,

     

     

    I have done some check on the F5 DevCentral forum (https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/8888/showtab/groupforums/Default.aspx) and they mentioned that it can be done via the iRule. Please refer to the below for the script to log the HTTP connection.

     

     

    HTTP logger rule:

     

     

    when HTTP_REQUEST {

     

     

    set the URL here, log it on the response

     

     

    set url [HTTP::header Host][HTTP::uri]

     

    set vip [IP::local_addr]:[TCP::local_port]

     

     

    }

     

     

    when HTTP_RESPONSE {

     

     

    set client [IP::client_addr]:[TCP::client_port]

     

    set node [IP::server_addr]:[TCP::server_port]

     

    set nodeResp [HTTP::status]

     

     

    log connection info

     

     

    log local0.info "Client: $client -> VIP:$vip$url -> Node: $node with response $nodeResp"

     

     

    }

     

     

    Thus, I would like to check with you that do I need to input any values to the portion in bold & italic or just leave it as default?

     

     

    On top of that, if all these logs are to be send to the remote syslog server,

     

     

    1) Will F5 auto log to the logs to remote server? or 2) Do I still need to configure the syslog-ng to send the log to the remote server? after I have configure the remote syslog server to the F5.

     

     

    Thks and Rgds

     

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 31, 2012
    Hi Ah Fat,

     

     

    If you're on 10.1 or higher, I suggest using High Speed Logging to send the logging directly from TMM without logging locally or going through syslog-ng. HSL should be a lot more efficient. For details check the HSL wiki page:

     

     

    https://devcentral.f5.com/wiki/iRules.hsl.ashx

     

     

    And here are a couple of examples:

     

     

    https://devcentral.f5.com/wiki/iRules.FormattedLoggingForW3c.ashx

     

    https://devcentral.f5.com/wiki/iRules.Log-Tcp-And-Http-Request-Response-Info-Remotely.ashx

     

     

    Aaron
  • Ah_Fat_2262's avatar
    Ah_Fat_2262
    Icon for Nimbostratus rankNimbostratus
    Mar 31, 2012
    Hi Aaron,

     

     

    The examples seem very complicated. Is there anything more simpler?....I am just a beginner for F5 appliance.

     

     

    Rgds
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 31, 2012
    You could use the second example exactly as it is. Or if you want to log just on the HTTP response you could use this: 

    when RULE_INIT {
     Save the name of the BIG-IP
    set static::bigip [info hostname]
     Set the log facility
     Ex: <191> = local7.debug
     See RFC 3164 Section 4.1.1 - "PRI Part" or https://devcentral.f5.com/wiki/iRules.HSL__send.ashx for more info
    set static::facility <191>
     Add the facility and hostname to the log prefix
    set static::hsl_prefix "$static::facility|host=$static::bigip"
}
when CLIENT_ACCEPTED {
     Open a new high speed logging connection to the syslog pool named syslog_server_pool
    set hsl [HSL::open -proto UDP -pool syslog_server_pool]
     Append the client IP:port to a local copy of the log prefix so we can log it in SERVER_CLOSED
    set hsl_prefix "${static::hsl_prefix}|client=[IP::client_addr]:[TCP::client_port]"
}
when HTTP_REQUEST {
     Get time for start of HTTP request
    set http_request_time [clock clicks -milliseconds]
    set url "[HTTP::host][HTTP::uri]"
}
when HTTP_RESPONSE {
     Received the response headers from the server.  Log the pool name, IP and port, status and 
     time delta between HTTP request headers received from client and respnse headers recieved from server
    HSL::send $hsl "$hsl_prefix|event=HTTP_RESPONSE|url=$url|vs=[clientside {IP::local_addr}]:[clientside {TCP::local_port}]\
        |http_status=[HTTP::status]|http_request_response_delta_ms=\
        [expr {[clock clicks -milliseconds] - $http_request_time}]|desc=HTTP response|\n"
}

    Aaron
  • Ah_Fat_2262's avatar
    Ah_Fat_2262
    Icon for Nimbostratus rankNimbostratus
    Apr 01, 2012
    Hi Aaron,

     

     

    Thanks very much on the assistance. I will try it out. However, I have a couple of questions

     

     

    1) Do I just use the quoting as provided or Do I still need to add/change/configure the value for some of the line?

     

     

    2) For the line of set hsl [HSL::open -proto UDP -pool syslog_server_pool] what if I do not have such a remote server group?

     

     

    However, I have added a remote server using the below command instead

     

     

    bigpipe syslog remote server {server1 {host xx.xx.xx.xx}}

     

     

    Please advice.

     

     

    Thks and Rgds
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 01, 2012
    All you should need to do is define your syslog server in a pool named syslog_server_pool:

     

     

    b pool syslog_server_pool {members xx.xx.xx.xx:514}

     

    b save

     

     

    If you want to send the logs to something other than local7.debug, change this variable to the value described on the HSL::send wiki page (https://devcentral.f5.com/wiki/iRules.HSL__send.ashx):

     

     

    set static::facility <191>

     

     

    Aaron