Forum Discussion

rb1980_75708's avatar
rb1980_75708
Icon for Nimbostratus rankNimbostratus
Oct 28, 2010

logging X-Forwarded-For in WA hit logs

I already asked this question over a year ago [here] and never got any answer, so i'm asking again. I want to log the value of an X-Forwarded-For header in my WA access logs. There are plenty of examples on DC of how to do this on your origin server but none that talk about the WA hit logs. We have this mysterious "Custom Request Information" option available but I cannot find it documented anywere. Someone, please!
  • Looks like you want to log to /var/log/wa? iRules log to /var/log/ltm. I'll look around and see if I can come up with an option.
  • smp wrote a tech tip that might work. You'll need to edit syslog though.

    http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1084377/Writing-to-and-rotating-custom-log-files.aspx

    Simply have the iRule check to see whether X-Forwarded-For exists and if it does, log its value but start with a string around which you can filter. I've edited his examples a bit, hopefully this will work. I don't have an environment in which to test this so I'd strongly recommend testing it in a lab environment or running through it with support.

    when HTTP_REQUEST {
    if { [HTTP::header exists "X-Forwarded-For"] } {
       log local0. "X-Forwarded-For was [HTTP::header X-Forwarded-For]" }
    }
    

    Then you'll need to edit your syslog file as in the example.

    Using smp's example:

    tmsh modify sys syslog include '"
    filter f_local0 {
        facility(local0) and not match(\": \");
    };
     
    filter f_local0_customwa {
        facility(local0) and match(\": \");
    };
     
    destination d_customwa {
        file(\"/var/log/wa\" create_dirs(yes));
    };
     
    log {
        source(local);
        filter(f_local0_customlog);
        destination(d_customlog);
    };
    "'
    
    save the configuration change:
     
    tmsh save / sys config
     
    and restarting the syslog-ng service:
     
    tmsh restart sys service syslog-ng
    
  • Drew_Kane_23142's avatar
    Drew_Kane_23142
    Historic F5 Account
    The %f field was introduced in 9.4.7 for this. See SOL10563 (http://support.f5.com/kb/en-us/solutions/public/10000/500/sol10563.html).