F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

RiverFish's avatar
RiverFish
Icon for Altostratus rankAltostratus
Oct 04, 2012

Newby needs irule help

Greetings. The software guys assigned this task to me, can anyone please help me come up with an irule?

 

"Please write an IRule or some kind of filter that inspects the last_login Cookie in the Http Resonse Header sent from our weblogic application servers.

 

The Cookie will have a Name of last_login, the Content field will contain the username and this is the element we want to filter on.

 

During times of troubleshooting program staff will contact someone in IT and ask them to enable this filter for some username. The expectation is this filter can sniff the response header where last_login=SomeUserName and write some dianostics to a file, such as the time and HTTP Header."

 

application delivery
dev
devops
iRules

7 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 04, 2012
    e.g. 

    [root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_RESPONSE {
   if {[HTTP::cookie exists last_login]} {
      foreach aheader [HTTP::header names] {
         log local0. "[IP::client_addr]:[TCP::client_port] | ${aheader}: [HTTP::header value $aheader]"
      }
   }
}
}

 on client

[root@centos251 ~] curl -I http://172.28.19.79
HTTP/1.1 200 OK
Date: Thu, 04 Oct 2012 17:16:06 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Set-Cookie: last_login=tasmania path=/
Connection: close
Content-Type: text/html; charset=UTF-8

 on bigip

[root@ve10:Active] config  tail -f /var/log/ltm
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | Date: Thu, 04 Oct 2012 17:16:06 GMT
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | Server: Apache/2.2.3 (CentOS)
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | ETag: "4183e4-3e-9c564780"
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | Accept-Ranges: bytes
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | Content-Length: 62
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | Set-Cookie: last_login=tasmania path=/
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | Connection: close
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | Content-Type: text/html; charset=UTF-8
  • RiverFish's avatar
    RiverFish
    Icon for Altostratus rankAltostratus
    Oct 04, 2012
    Thank you very much! I think I understand everything here. I'll put it in place and see how it goes.
  • RiverFish's avatar
    RiverFish
    Icon for Altostratus rankAltostratus
    Oct 05, 2012
    They have modified their request. Any help would be much appreciated. New request below:

     

     

    I'd like to make a modification to this request if we can. After further investigation we think it would be better to grep/filter the Response HTTP Header for a custom header we set instead of the last_login Cookie.

     

     

    We place the following header in the HTTP response when we have ARMON enabled on our side.

     

     

    The token to filter on is NTTN_ARMON

     

     

    Here's a example header

     

     

    Response Headers

     

    HTTP/1.1 200 OK

     

    Date: Fri, 05 Oct 2012 18:19:33 GMT

     

    Transfer-Encoding: chunked

     

    Content-Type: text/html; charset=ISO-8859-1

     

    Host-Address: 10.204.4.239

     

    NTTN_ARMON: jsmith,420,1348

     

    Host-Name: jsmith

     

    X-Powered-By: Servlet/2.5 JSP/2.1

     

     

    If we can sniff the response headers for:

     

    // all users

     

    NTTN_ARMON

     

    // and for a specific user

     

    NTTN_ARMON: ${some-username}

     

     

    then write/log an output of

     

    [time-f5-saw-response], [content of NTTN_ARMON header]
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 05, 2012
    The rule is pretty close to the last one: 

    
when HTTP_RESPONSE {
if { [HTTP::header exists NTTN_ARMON] } {
log local0. "[clock format [clock seconds] -format {%Y-%m-%d %H:%M:%S}], [HTTP::header NTTN_ARMON]"
}
}

  • RiverFish's avatar
    RiverFish
    Icon for Altostratus rankAltostratus
    Oct 22, 2012
    Is there an easy way to direct the output of this iRule to it's own dedicated log instead of the system log?
  • Mohamed_Lrhazi's avatar
    Mohamed_Lrhazi
    Icon for Altocumulus rankAltocumulus
    Oct 22, 2012
    Maybe you'll find your answer here:

     

     

    https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/44/aft/1172420/showtab/groupforums/Default.aspx