Forum Discussion

Techgeeeg_28888's avatar
Techgeeeg_28888
Icon for Nimbostratus rankNimbostratus
Oct 15, 2014

Logging the request coming to a Virtual Server

Hi Everyone,

 

I want to record each and every hit on my Virtual Server. It want the hit log to be sent to my Syslog server. I have configured the Syslog IP under the "Remote Logging" configuration in the GUI. But I am not getting the logs of Remote IP addresses connecting to my Virtual Servers. Have I missed any configuration? Do I need to configure anything under the virtual server configuration?? Need some quick response pls..

 

Regards,b

 

  • Thanks Kevin I need to ask one more thing here. The high speed logging is it applicable only to a particular type of virtual server or is it for all types of Virtual Servers.

     

  • Thanks Kevin I need to ask one more thing here. The high speed logging is it applicable only to a particular type of virtual server or is it for all types of Virtual Servers.

     

    • Kevin_Davies_40's avatar
      Kevin_Davies_40
      Icon for Nacreous rankNacreous
      Any type of virtual server. The fastL4 version may have some restrictions.
  • It does not log hits by default. You need an iRule for that. Attach this to your virtual server. This will log to syslog.

    when CLIENT_ACCEPTED {
      log local0. "Client [IP::client_addr] accessed [virtual]"
    }
    

    But high speed logging is what you need for production. Define a pool with log server(s) in it.

    when CLIENT_ACCEPTED {
      set hsl [HSL::open -proto UDP -pool syslog_server_pool]
      HSL::send $static::hsl "<190> Client [IP::client_addr] accessed [virtual]\n"
    }
    
  • jk303's avatar
    jk303
    Icon for Nimbostratus rankNimbostratus

    Can the LTM also log the specific URI/URL user hits? Not just the client IP and VIP name but actual full url? Thank you.

     

  • Can the LTM also log the specific URI/URL user hits?

     

    Yes sure it can, you just need to use a different event to access the HTTP information at layer 7. However in version 11 of BIGIP there is a built-in function to do this. It is called the request logging profile.

     

    https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-external-monitoring-implementations-11-4-0/1.html

     

  • Meet the loginator!!!

    when CLIENT_ACCEPTED {
      set hsl [HSL::open -proto UDP -pool syslog_server_pool]
    }
    when HTTP_REQUEST {
        HSL::send $static::hsl "<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
        HSL::send $static::hsl "Client: [IP::client_addr]:[TCP::client_port]"
        HSL::send $static::hsl "[HTTP::method] [HTTP::uri]"
        HSL::send $static::hsl "HTTP \/[HTTP::version]"
        foreach aHeader [HTTP::header names] {
            HSL::send $static::hsl "$aHeader: [HTTP::header value $aHeader]"
        }
        if {[HTTP::header exists "Content-Length"] } {
            HTTP::collect [HTTP::header "Content-Length"]
        } else {
            HTTP::collect 1048576
        }
    }
    
    when HTTP_REQUEST_DATA {
        HSL::send $static::hsl "Payload: [HTTP::payload]"
        HTTP::release   
    }
    
    when HTTP_RESPONSE {
        HSL::send $static::hsl ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
        foreach aHeader [HTTP::header names] {
            HSL::send $static::hsl "$aHeader: [HTTP::header value $aHeader]"
       }
    }
    
  • Since you went there... I wasnt going to as the built-in capability is easier to use and manage.

    However if you are going to log from an iRule then you need a way to correlate the log information as their is multiple connections and many http requests. The prefix specified below allows you to correlate each tcp session and the http requests that belong to that session in the logs.

    when CLIENT_ACCEPTED {
      set hsl [HSL::open -proto UDP -pool syslog_server_pool]
      set prefix "\[[IP::client_addr]:[TCP::remote_port]\]:" 
      HSL::send $hsl "<190> $prefix New Connection to [virtual]\n"
    }
    
    when HTTP_REQUEST {
      set prefix "\[[IP::client_addr]:[TCP::remote_port]:[expr { rand() * 1000000 }]\]:" 
      HSL::send $hsl "<190> $prefix URL http(s)://[HTTP::host][HTTP::uri]"
    }
    
  • this can be done thru irule and ltm policies.

     

    log local0. "[HTTP::uri] is http uri"

     

    in ltm policies, there is an option to log when creating a rule..