For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ruggerfly1's avatar
Ruggerfly1
Icon for Nimbostratus rankNimbostratus
Jun 13, 2016

Request logging profile V11.5.3

Looking for best practices, or what's worked well on a logging profile: here's what I have in the template currently:

 

$DATE_NCSA F5=$BIGIP_HOSTNAME Source=$CLIENT_IP device=$User-Agent request=$HTTP_REQUEST Path=$HTTP_PATH Uri=$HTTP_URI query=$HTTP_QUERY status $HTTP_STATUS

 

Do I need he curly brackets around the variables? Ex request=${HTTP_REQUEST}

 

trying to grab all data in the URI/request, as well as status, user agent. Active sync is the goal and full URI string contains everything.

 

thanks

 

application delivery
LTM

10 Replies

  • Ryannnnnnnnn's avatar
    Ryannnnnnnnn
    Icon for Altocumulus rankAltocumulus
    Jun 14, 2016

    Here's an example of what we use for the majority of our http/https virtual servers

    client $CLIENT_IP:$CLIENT_PORT host.domain.com request $HTTP_REQUEST server $SERVER_IP:$SERVER_PORT
    • Ruggerfly1's avatar
      Ruggerfly1
      Icon for Nimbostratus rankNimbostratus
      Jun 14, 2016
      would this capture and log something like this? POST /Microsoft-Server-ActiveSync?Cmd=FolderSync&User=fakename&DeviceId=v140Device&DeviceType=SmartPhone HTTP/1.1 then in the Response Template I would log the HTTP_STATUS thanks!
    • Ruggerfly1's avatar
      Ruggerfly1
      Icon for Nimbostratus rankNimbostratus
      Jun 14, 2016
      Update - this captured the entire ActiveSync request with User, device, now waiting to see if the HTTP_STATUS from the response is correlated Request Template $DATE_NCSA ${Host} ${User-Agent} Source=$CLIENT_IP request=$HTTP_REQUEST Response Template $DATE_NCSA ${Host} Response HTTP_STATUS code HTTP_STATCODE
    • Ruggerfly1's avatar
      Ruggerfly1
      Icon for Nimbostratus rankNimbostratus
      Jun 14, 2016
      this is working well, but the separate lines to the logger is not correlating the request to the response. Is there a way to inject a session identifier so even on separate lines you can tie the response to the request? thanks
  • Ryan_80361's avatar
    Ryan_80361
    Icon for Cirrostratus rankCirrostratus
    Jun 14, 2016

    Here's an example of what we use for the majority of our http/https virtual servers

    client $CLIENT_IP:$CLIENT_PORT host.domain.com request $HTTP_REQUEST server $SERVER_IP:$SERVER_PORT
    • Ruggerfly1's avatar
      Ruggerfly1
      Icon for Nimbostratus rankNimbostratus
      Jun 14, 2016
      would this capture and log something like this? POST /Microsoft-Server-ActiveSync?Cmd=FolderSync&User=fakename&DeviceId=v140Device&DeviceType=SmartPhone HTTP/1.1 then in the Response Template I would log the HTTP_STATUS thanks!
    • Ruggerfly1's avatar
      Ruggerfly1
      Icon for Nimbostratus rankNimbostratus
      Jun 14, 2016
      Update - this captured the entire ActiveSync request with User, device, now waiting to see if the HTTP_STATUS from the response is correlated Request Template $DATE_NCSA ${Host} ${User-Agent} Source=$CLIENT_IP request=$HTTP_REQUEST Response Template $DATE_NCSA ${Host} Response HTTP_STATUS code HTTP_STATCODE
    • Ruggerfly1's avatar
      Ruggerfly1
      Icon for Nimbostratus rankNimbostratus
      Jun 14, 2016
      this is working well, but the separate lines to the logger is not correlating the request to the response. Is there a way to inject a session identifier so even on separate lines you can tie the response to the request? thanks