JG
May 17, 2014Cumulonimbus
Logging SMTP traffic info via HSL to remote log server.
Our SMTP servers need info about mail messages being sent in order to identify the mail sending devices (and thereby the mail sending users) but are not able to do so due to the use of SNATs on the ltm. I have put together an irule based on some existing shared code to log relevant info to a remote log server, as shown below. I'd appreciate it if anybody can let me know if there is anything missing/incorrect in it:
when CLIENT_ACCEPTED {
set hsl [HSL::open -proto UDP -pool /APPLICATION/test_logserver]
set tstamp [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"]
HSL::send $hsl "<22> $tstamp [IP::client_addr]:[TCP::client_port]->[IP::local_addr]:[TCP::local_port] CLIENT_ACCEPTED\n"
TCP::collect
}
when CLIENT_DATA {
set cdata [TCP::payload]
if { [ string length $cdata ] <= 0 } {
return
}
if { not ( $cdata contains "\r\n" ) } {
return
}
if { $cdata starts_with "MAIL FROM:" } {
set cfrom [TCP::payload]
set tstamp [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"]
HSL::send $hsl "<22> $tstamp [IP::client_addr]:[TCP::client_port]->[IP::local_addr]:[TCP::local_port] $cfrom\n"
return
}
if { $cdata starts_with "RCPT TO:" } {
set crcpt "$crcpt[TCP::payload]"
set tstamp [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"]
HSL::send $hsl "<22> $tstamp [IP::client_addr]:[TCP::client_port]->[IP::local_addr]:[TCP::local_port] $crcpt\n"
return
}
TCP::release
TCP::collect
}
when CLIENT_CLOSED {
set tstamp [clock format [clock seconds] -format "%d/%m/%Y %H:%M:%S %z"]
HSL::send $hsl "<22> $tstamp [IP::client_addr]:[TCP::client_port]->[IP::local_addr]:[TCP::local_port] CLIENT_CLOSED\n"
}
Another question is if an SMTP security profile in ASM is enabled, will this irule run first or after the security profile is assessed first?