Forum Discussion

Amr_Ali's avatar
Amr_Ali
Icon for MVP rankMVP
Jul 15, 2023

LTM Logs

hello, 

is there any way to see the ip of the client on LTM , i just can see an statistic on pool or VS , i need to find the source IP of the clint 

application delivery
event

5 Replies

Sort By
  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Jul 16, 2023

    Amr_Ali This depends on where the client is coming from and if you are using a CDN. When using a CDN will have to look at the HTTP header to find the X-Forwarded-For header field. If we are talking about basic configuration you can go to the following link and it's right at the top of the page.

    https://my.f5.com/manage/s/article/K33126241

    • Amr_Ali's avatar
      Amr_Ali
      Icon for MVP rankMVP
      Jul 16, 2023

      Thanks, Paulius for this info, if I make this irule i will be apple to see the users IP on the pool or just on the VS, 

      and if not, is there any way to find the IP of the client reached to which server on the pool, 

  • Ben_Novak's avatar
    Ben_Novak
    Icon for Employee rankEmployee
    Jul 16, 2023

    As Paulius described, clients behind NATs may seen limited information, so for http traffic, don't forget to look for the appropriat forwarded headers. 

    Aside from that there are a couple of ways to get the details your looking for;

    1. an iRule to log the connection details (see example below)

    2. Local Traffic policy

    3. CLI

    This article talks about how client connection details are not logged by default and provide some methods to find them:

    K54934387: Collect client connections details:

    https://my.f5.com/manage/s/article/K54934387

    This article described the process for creating and iRule or Local Traffic Policy to capture client connection details
    K33126241: Log client IP addresses for new TCP sessions on a virtual server

    https://my.f5.com/manage/s/article/K33126241

    I also use VSCode CoPilot to write the following example iRule

    
# create an irule to log all client and server side connections details
cat <<EOF > /config/connection_logging.irule
when CLIENT_ACCEPTED {
    log local0. "client accepted: [IP::client_addr]:[TCP::client_port]"
}

when CLIENT_CLOSED {
    log local0. "client closed: [IP::client_addr]:[TCP::client_port]"
}

when SERVER_CONNECTED {
    log local0. "server connected: [IP::server_addr]:[TCP::server_port]"
}

when SERVER_CLOSED {
    log local0. "server closed: [IP::server_addr]:[TCP::server_port]"
}

when HTTP_REQUEST {
    log local0. "http request: [IP::client_addr]:[TCP::client_port] -> [IP::server_addr]:[TCP::server_port] [HTTP::method] [HTTP::host][HTTP::uri]"
}

when HTTP_RESPONSE {
    log local0. "http response: [IP::server_addr]:[TCP::server_port] -> [IP::client_addr]:[TCP::client_port] [HTTP::status] [HTTP::reason]"
}

     

    • Ben_Novak's avatar
      Ben_Novak
      Icon for Employee rankEmployee
      Jul 17, 2023

      Since I leaned on VSCode CoPilot to write this irule for me ( just typed the comment), I wanted to see if it would actually load. 

      Remote the "[HTTP::reason]" from the last log statement and it will load/log traffic.  

      Additional tweaking may be needed for your specific use case.