Forum Discussion

Cirrus

Sep 30, 2022

Need iRule for logging all LDAPS requests to HSL Splunk

Hi DevCentral- We have a VS for loadbalancing our Domain Controllers. I need an iRule to log all LDAPS requests coming in to the VS and send to our HSL logging pool which used UDP port 514. Any h

application delivery

irule

xuwen

Oct 05, 2022

if ssl offload work on bigip(clientside ssl profile, client ldap), you can use CLIENTSSL_HANDSHAKE, CLIENTSSL_DATA irules event to collect decrypt payload

when CLIENTSSL_HANDSHAKE {
   # log local0. "[IP::client_addr]:[TCP::client_port]: SSL handshake completed, collecting SSL payload"
   set hsl [HSL::open -proto UDP -pool syslogvip_pool]
   SSL::collect
}
when CLIENTSSL_DATA {
   # log local0. "[IP::client_addr]:[TCP::client_port]: Collected bytes [SSL::payload length], releasing payload"
   # log local0. "\[SSL::payload\]: [SSL::payload]"
   HSL::send $hsl "DCreqlogging Client connect from [IP::client_addr]:[TCP::client_port]"
   HSL::send $hsl "DCreqlogging SSL Payload [SSL::payload]"
   SSL::release
}

xuwen

Cumulonimbus

if ssl offload work on bigip(clientside ssl profile, client ldap), you can use CLIENTSSL_HANDSHAKE, CLIENTSSL_DATA irules event to collect decrypt payload

when CLIENTSSL_HANDSHAKE {
   # log local0. "[IP::client_addr]:[TCP::client_port]: SSL handshake completed, collecting SSL payload"
   set hsl [HSL::open -proto UDP -pool syslogvip_pool]
   SSL::collect
}
when CLIENTSSL_DATA {
   # log local0. "[IP::client_addr]:[TCP::client_port]: Collected bytes [SSL::payload length], releasing payload"
   # log local0. "\[SSL::payload\]: [SSL::payload]"
   HSL::send $hsl "DCreqlogging Client connect from [IP::client_addr]:[TCP::client_port]"
   HSL::send $hsl "DCreqlogging SSL Payload [SSL::payload]"
   SSL::release
}