Newby needs irule help

e.g.

[root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_RESPONSE {
   if {[HTTP::cookie exists last_login]} {
      foreach aheader [HTTP::header names] {
         log local0. "[IP::client_addr]:[TCP::client_port] | ${aheader}: [HTTP::header value $aheader]"
      }
   }
}
}

 on client

[root@centos251 ~] curl -I http://172.28.19.79
HTTP/1.1 200 OK
Date: Thu, 04 Oct 2012 17:16:06 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Set-Cookie: last_login=tasmania path=/
Connection: close
Content-Type: text/html; charset=UTF-8

 on bigip

[root@ve10:Active] config  tail -f /var/log/ltm
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | Date: Thu, 04 Oct 2012 17:16:06 GMT
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | Server: Apache/2.2.3 (CentOS)
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | ETag: "4183e4-3e-9c564780"
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | Accept-Ranges: bytes
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | Content-Length: 62
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | Set-Cookie: last_login=tasmania path=/
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | Connection: close
Oct  5 00:59:48 local/tmm info tmm[4907]: Rule myrule : 172.28.19.251:49826 | Content-Type: text/html; charset=UTF-8

Thank you very much! I think I understand everything here. I'll put it in place and see how it goes.

They have modified their request. Any help would be much appreciated. New request below:

 

 

I'd like to make a modification to this request if we can. After further investigation we think it would be better to grep/filter the Response HTTP Header for a custom header we set instead of the last_login Cookie.

 

 

We place the following header in the HTTP response when we have ARMON enabled on our side.

 

 

The token to filter on is NTTN_ARMON

 

 

Here's a example header

 

 

Response Headers

 

HTTP/1.1 200 OK

 

Date: Fri, 05 Oct 2012 18:19:33 GMT

 

Transfer-Encoding: chunked

 

Content-Type: text/html; charset=ISO-8859-1

 

Host-Address: 10.204.4.239

 

NTTN_ARMON: jsmith,420,1348

 

Host-Name: jsmith

 

X-Powered-By: Servlet/2.5 JSP/2.1

 

 

If we can sniff the response headers for:

 

// all users

 

NTTN_ARMON

 

// and for a specific user

 

NTTN_ARMON: ${some-username}

 

 

then write/log an output of

 

[time-f5-saw-response], [content of NTTN_ARMON header]

The rule is pretty close to the last one:

when HTTP_RESPONSE {
if { [HTTP::header exists NTTN_ARMON] } {
log local0. "[clock format [clock seconds] -format {%Y-%m-%d %H:%M:%S}], [HTTP::header NTTN_ARMON]"
}
}

Bam! Thanks again!

Is there an easy way to direct the output of this iRule to it's own dedicated log instead of the system log?

Maybe you'll find your answer here:

 

 

https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/44/aft/1172420/showtab/groupforums/Default.aspx