logging question

The difference is that

 

 

log "xxx"

 

 

uses the default log facility and level. Whereas you can specify the exact facility and level with

 

 

log facility.level "some text"

 

 

For a list of facilities and levels have a look at the docs for syslog-ng (Goog syslog-ng and it should keep you going for a while :). When you specify the facility and level yourself, you can determine where syslog-ng will write the logs (e.g. if you used an unused facility you could just send everything for his irule to your own file... Although admitedly you could also write a filter for that, so the explanation is probably a bit high-level :)

 

 

H

 

 

H

thanks for your reply

 

 

in a nutshell, are you saying that both 'log' and 'log user.warn' will both work? it just depends on which log you want to write to? presumably, 'log' will simply log to the default ltm log file?

 

 

thanks again

yes, it will be written to /var/log/ltm.

 

 

log wiki

 

http://devcentral.f5.com/wiki/default.aspx/iRules/log.html

If you want to see all the messages instead of a message like "received x times", you'll want to at least specify log local0. "message"

As Jason and Nitass suggested:

 

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/log

 

 

There is a significant behavioral difference when the optional . is specified. When iRule logs messages without the facility and/or level, they are rate-limited as a class and subsequently logged messages within the rate-limit period may be suppressed even though they are textually different. However, when the and/or are specified, the log messages are not rate-limited (though syslog-ng will still perform suppression of repeated duplicates).

 

 

 

Aaron

...

ok, thanks for the information

 

 

i don't have a great deal of experience with syslog, so i'm just trying to get my head around this issue. basically, i just need a log of all ssl re-negotiation attempts and i thought the following command (included in lupo's irule) would indeed log them all...

 

log "\[VS [IP::local_addr]:[TCP::local_port] client [IP::remote_addr]:[TCP::remote_port]\]:TLS/SSL renegotiation"

 

 

however, when we implemented lupo's irule and initiated some ssl-renegotiations, nothing was logged. which left me puzzled. a colleague advised that we should use the following command to log all ssl-renegotiations instead of the command above...

 

log user.warn "\[VS [IP::local_addr]:[TCP::local_port] client [IP::remote_addr]:[TCP::remote_port]\]:TLS/SSL renegotiation"

 

 

from my point of view, i don't care where or how it is logged... i just need to ensure that it is logged! (hope that makes sense!)

 

 

thanks

Which LTM version are you testing this on? Are you able to reproduce requests for renegotiation? Can you post the iRule you're testing? Can you try logging to local0.info and checking for the log output in /var/log/ltm?

 

 

Aaron

this is my test.

 

 

[root@orchid:Active] config b version|grep -iA 1 version

 

BIG-IP Version 10.2.1 511.0

 

Hotfix HF3 Edition

 

 

[root@orchid:Active] config b virtual bar list

 

virtual bar {

 

snat automap

 

pool foo

 

destination 172.28.17.88:https

 

ip protocol tcp

 

rules myrule

 

profiles {

 

myclientssl {

 

clientside

 

}

 

tcp {}

 

}

 

}

 

 

[root@orchid:Active] config b profile myclientssl list

 

profile clientssl myclientssl {

 

defaults from clientssl

 

renegotiate enable

 

}

 

 

[root@orchid:Active] config b rule myrule list

 

rule myrule {

 

when CLIENT_ACCEPTED {

 

set sslhandshakecount 0

 

}

 

when CLIENTSSL_HANDSHAKE priority 100 {

 

incr sslhandshakecount

 

if { $sslhandshakecount != 1 } {

 

log "\[VS [virtual] client [IP::client_addr]:[TCP::client_port]\]: TLS/SSL renegotiation occurred, dropping connection"

 

TCP::close

 

}

 

}

 

}

 

 

/var/log/ltm

 

Jun 9 06:36:14 local/tmm info tmm[5201]: 01220002:6: Rule myrule : [VS bar client 172.28.17.50:55916]: TLS/SSL renegotiation occurred, dropping connection

- BIG-IP 9.3.1 Build 69.0

 

 

- we have reproduced renegotiation requests using web sites such as this https://www.ssllabs.com/ssldb/

 

 

- the irule we're using is as follows (it's basically a cut/paste from the bottom of http://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.html)...

 

when CLIENT_ACCEPTED {

 

initialize TLS/SSL handshake count for this connection

 

set sslhandshakecount 0

 

}

 

 

when CLIENTSSL_HANDSHAKE priority 1 {

 

a handshake just occurred

 

incr sslhandshakecount

 

is this the first handshake in this connection?

 

if { $sslhandshakecount > 1 } {

 

log the event (to /var/log/tmm)

 

log "\[VS [IP::local_addr]:[TCP::local_port] client [IP::remote_addr]:[TCP::remote_port]\]:TLS/SSL renegotiation"

 

if not, close the clientside connection

 

reject

 

}

 

}

 

 

- we cannot easily change the logging to local0.info as this particular big ip cluster is in a managed environment (strict change control, 8 day lead time, etc)

 

 

any ideas as to why it's not logging?

 

 

thanks