Forum Discussion

Agathe_309970's avatar
Agathe_309970
Icon for Altocumulus rankAltocumulus
Apr 02, 2019

Logging some log on a remote syslog and not on the log file

Hi,

I try to do something via iRules but it's not working.

Our F5 BIG-IP is a reverse proxy and I want to log the public client IP to know who was connected to which URL. But it represents a lot a logs.

So, I try to put this log directly on a remote syslog server without pass by the BIG-IP log file.

I do that via an iRule (the HSL doesn't work with our syslog server for instance). I try several implementation with the log commmand : * log XXX.XXX.XXX.XXX local0. ... * log -noname XXX.XXX.XXX.XXX local0. ...

But nothing works. There, you will find my iRules.

when HTTP_REQUEST {
    set host [HTTP::host]
    set path [HTTP::path]
}
when SERVER_CONNECTED {     
    log xxx.xxx.xxx.xxx local0. "Client Source IP: [IP::client_addr] --- HOST: $host$path" 
}

If someone could help me, it will be wonderfull. Actually, I have a full log file which turn during the day and the syslog server keep all the log. But I want to improve this.

Thanks in advance.

Best regards,

Agathe

application delivery
BIG-IP
devops
iRules
  • m_najafikhah_20's avatar
    m_najafikhah_20
    Icon for Nimbostratus rankNimbostratus
    Apr 02, 2019

    Hi

     

    if you want to know public client IP , you must enable Xforwarder-for on LTM. another solution is your F5 logs to ship to Log collector (for example: to ArcSight Logger), after that you search any log without duplication logs.

     

    • Agathe_309970's avatar
      Agathe_309970
      Icon for Altocumulus rankAltocumulus
      Apr 02, 2019

      Hi,

       

      Thank for your return.

       

      Yes I have the X-Forwarded-For enabled. But it just inserts the information on the HTTP request no? So it is the server after the BIG-IP which recover this information. And I don't have the access on all the server behind the BIG-IP...

       

      Thanks.

       

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Apr 02, 2019

    Hi,

    I think that the best way to fix your problem is first to investigate why HSL don't work.

    First.

    Create a pool with the following "syslog_server_pool"

    int this pool set your syslog server with the right port.

    Create this irule and attached it to your VS 

    when CLIENT_ACCEPTED {
   set hsl [HSL::open -proto UDP -pool syslog_server_pool]
}
when HTTP_REQUEST {
    Log HTTP request via syslog protocol as local7.info; see RFC 3164 for more info
   HSL::send $hsl "IP: [IP::local_addr] - URI: [HTTP::uri]\n"
}

    Once your Irule is attached, validate that F5 send logs using TCPDUMP:

    tcpdump -nni 0.0 host syslog-server-ip1 or host syslog-server-ip2

    You can validate that logs degress by the right interface ...

    Regards,