Logging when there are multiple threads from one host

Question

Hi,&nbsp;
&nbsp;I got a question from the development team that I doubt I can solve with a LTM but why not ask here, maybe anyone got a idea if it's possible at all.&nbsp;
&nbsp;We have a application (web service) on port 443. The SSL is terminated at the LTM/BIGIP (v10.2.x).
&nbsp;They wonder if I can somehow log if there is multiple threads from a single source IP.
&nbsp;Not sure how this is possible, how do i count threads? is it equal to two simultaneous connections from one single IP? or is it possible to have several threads within 1 current/open connection?
&nbsp;If I should log two or more simultaneous connections from a single IP I guess it's possible with a iRule, check if the source/client IP is in some table and then log it to syslog.&nbsp;
&nbsp;But... still not sure if that will do. Anyone in here that got similar situations that you have solved?&nbsp;
&nbsp;//Robert&nbsp;

hooleylist · Answer

Hi Robert, 
&nbsp;  
&nbsp; It would be relatively simple to track when a client reuses a TCP connection for multiple HTTP requests using HTTP::request_num &gt; 1: 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/iRules.http__request_num.ashx 
&nbsp;  
&nbsp; If you wanted to track when clients open more than one TCP connection concurrently, you could increment a subtable with a key of the client IP and then decrement it in CLIENT_CLOSED. 
&nbsp;  
&nbsp; But I'm curious as to why you want to do this.  Is it for custom clients?  All current browsers open more than one TCP connection when loading the elements of a web page.  And all current browsers reuse TCP connections for multiple requests.  So if you did implement this type of logging, it would be triggered constantly. 
&nbsp;  
&nbsp; Can you elaborate on why you want to do this? 
&nbsp;  
&nbsp; Aaron

mr_rj · Answer

Hi Hoolio, 
&nbsp;  
&nbsp; Thanks for the reply. Didnt check the subscripte checkbox to didnt notice the answer until now :) 
&nbsp; The background for the need of this is that we have web services that got a large range of customers/systems (not end users as internet explorer etc). 
&nbsp; We had a bit of a issue not long ago when one of the major customers had changed how their application was handling the communication towards one of these web services. They opened a lot of threads within the session and used more resources that we could handle. We have made changes in several areas to be able to handle this but we still would like to keep track on other customers if they also make changes that could have negative impact for the whole system. 
&nbsp;  
&nbsp; So, it would be great to log source IPs that use more then x threads within a session. 
&nbsp; I will read through the suggestion you made and try to build something around it. Things that I see that can be a bit tricky is the logging part. Statistics profile doesn't seem to be able to handle dynamic data so logging "source IP: 1.1.1.1 . This list must be dynamically built since I don't know the source IPs in advance. 
&nbsp;  
&nbsp; Thanks 
&nbsp; Robert &nbsp;

mr_rj · Answer

Hi again Aaron, 
&nbsp;  
&nbsp; when HTTP_REQUEST {  
&nbsp; if { [HTTP::request_num] &gt; 1 } {  
&nbsp;   log local0. "SourceIP [IP::remote_addr] - SYSTEMNAME_Threads_high [HTTP::request_num]" 
&nbsp;   } 
&nbsp; } 
&nbsp;  
&nbsp; Gave me: 
&nbsp;  
&nbsp; Dec  1 12:19:48 local/tmm info tmm[5376]: Rule SYSTEMNAME_TestEnv_Threads_High_Log : SourceIP 127.40.160.226 - SYSTEMNAME_Threads_high 2 
&nbsp; Dec  1 12:19:50 local/tmm info tmm[5376]: Rule SYSTEMNAME_TestEnv_Threads_High_Log : SourceIP 127.40.160.226 - SYSTEMNAME_Threads_high 3 
&nbsp;  
&nbsp; So I guess that part works well! 
&nbsp; Would be nice to get it in it's own file or as I hoped for, a dynamically built list with sourceIPs and how many times the comparing number of threads has been crossed. 
&nbsp;  
&nbsp; Must be possible somehow =)  
&nbsp;  
&nbsp; //Robert &nbsp;

mr_rj · Answer

removing, the code didnt look good in formating&nbsp;

mr_rj · Answer

when RULE_INIT {
  array set ::customer_sourceip { }
}

when HTTP_REQUEST {

if { [HTTP::request_num] &gt; 1 } then { 
  if { ([info exists ::customer_sourceip([IP::client_addr])]) } { 
        incr ::customer_sourceip([IP::client_addr])
        log local0. "SourceIP - [IP::remote_addr] - _Threads_high [HTTP::request_num]"  
}
   else { set ::customer_sourceip([IP::client_addr]) 1 }
        log local0. "SourceIP - [IP::remote_addr] - _Threads_high [HTTP::request_num]"  
}

if { [HTTP::uri] starts_with "/ROB" } {
    HTTP::respond 200 content [array get ::customer_sourceip]

set td_html ""

foreach {SRC_IPS} [array get ::customer_sourceip] {
  append td_html "$SRC_IPS$SRC_IPS"

}
  append td_html ""
 HTTP::respond 200 content $td_html

}
}

I have some issues with the html page...
Found this post that you are were active in:
http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/1172718/showtab/groupforums/Default.aspx

Seems to be the same problem in 10.2.1 :(
//Robert

Forum Discussion

Logging when there are multiple threads from one host

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

Multiple Ways to Configure Usage Reporting in NGINX

Logging DNS Requests

F5 Distributed Cloud – Multiple custom certificates for HTTP/TCP LB

Multiple Kubernetes Clusters and Path-Based Routing with F5 Distributed Cloud

ASM logs

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS