Forum Discussion
steve_michaels
Sep 30, 2022Cirrus
Need iRule for logging all LDAPS requests to HSL Splunk
Hi DevCentral- We have a VS for loadbalancing our Domain Controllers. I need an iRule to log all LDAPS requests coming in to the VS and send to our HSL logging pool which used UDP port 514. Any h
- Oct 05, 2022
if ssl offload work on bigip(clientside ssl profile, client ldap), you can use CLIENTSSL_HANDSHAKE, CLIENTSSL_DATA irules event to collect decrypt payload
when CLIENTSSL_HANDSHAKE { # log local0. "[IP::client_addr]:[TCP::client_port]: SSL handshake completed, collecting SSL payload" set hsl [HSL::open -proto UDP -pool syslogvip_pool] SSL::collect } when CLIENTSSL_DATA { # log local0. "[IP::client_addr]:[TCP::client_port]: Collected bytes [SSL::payload length], releasing payload" # log local0. "\[SSL::payload\]: [SSL::payload]" HSL::send $hsl "DCreqlogging Client connect from [IP::client_addr]:[TCP::client_port]" HSL::send $hsl "DCreqlogging SSL Payload [SSL::payload]" SSL::release }
xuwen
Oct 05, 2022Cumulonimbus
if ssl offload work on bigip(clientside ssl profile, client ldap), you can use CLIENTSSL_HANDSHAKE, CLIENTSSL_DATA irules event to collect decrypt payload
when CLIENTSSL_HANDSHAKE {
# log local0. "[IP::client_addr]:[TCP::client_port]: SSL handshake completed, collecting SSL payload"
set hsl [HSL::open -proto UDP -pool syslogvip_pool]
SSL::collect
}
when CLIENTSSL_DATA {
# log local0. "[IP::client_addr]:[TCP::client_port]: Collected bytes [SSL::payload length], releasing payload"
# log local0. "\[SSL::payload\]: [SSL::payload]"
HSL::send $hsl "DCreqlogging Client connect from [IP::client_addr]:[TCP::client_port]"
HSL::send $hsl "DCreqlogging SSL Payload [SSL::payload]"
SSL::release
}
- steve_michaelsOct 05, 2022Cirrus
Thanks xuwen . i tested with the local logging and it is showing the Bind DN of the LDAPS request. Just what we need.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects