logging X-Forwarded-For in WA hit logs

Looks like you want to log to /var/log/wa? iRules log to /var/log/ltm. I'll look around and see if I can come up with an option.

smp wrote a tech tip that might work. You'll need to edit syslog though.

http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1084377/Writing-to-and-rotating-custom-log-files.aspx

Simply have the iRule check to see whether X-Forwarded-For exists and if it does, log its value but start with a string around which you can filter. I've edited his examples a bit, hopefully this will work. I don't have an environment in which to test this so I'd strongly recommend testing it in a lab environment or running through it with support.

when HTTP_REQUEST {
if { [HTTP::header exists "X-Forwarded-For"] } {
   log local0. "X-Forwarded-For was [HTTP::header X-Forwarded-For]" }
}

Then you'll need to edit your syslog file as in the example.

Using smp's example:

tmsh modify sys syslog include '"
filter f_local0 {
    facility(local0) and not match(\": \");
};
 
filter f_local0_customwa {
    facility(local0) and match(\": \");
};
 
destination d_customwa {
    file(\"/var/log/wa\" create_dirs(yes));
};
 
log {
    source(local);
    filter(f_local0_customlog);
    destination(d_customlog);
};
"'

save the configuration change:
 
tmsh save / sys config
 
and restarting the syslog-ng service:
 
tmsh restart sys service syslog-ng

The %f field was introduced in 9.4.7 for this. See SOL10563 (http://support.f5.com/kb/en-us/solutions/public/10000/500/sol10563.html).

Yay! That's the answer I was looking for! Thanks, Drew.