For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

hidnt_36310's avatar
hidnt_36310
Icon for Nimbostratus rankNimbostratus
Aug 01, 2016

Sendig VIP Syslog

Is there any F5 reference configure the VIP to send log a remote syslog server port 514?

 

Thanks

 

iRules
LTM
security

2 Replies

  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account
    Aug 02, 2016

    If you just want one VIP to send remote logs you can use irules and the HSL directive

     

    https://devcentral.f5.com/wiki/iRules.HSL.ashx

     

    If you want everything to go to a remote syslog server you can configure that too in

     

    tmsh sys syslog remote-servers

     

    or via HSL as well

     

    https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-3-0/21.html?sr=56175355

     

    • Snl's avatar
      Snl
      Icon for Cirrostratus rankCirrostratus
      Aug 06, 2016

      Below Irule may help you

       

      Code
    when HTTP_REQUEST {

    set http_request_time [clock clicks -milliseconds]
    set timestamp [clock format [clock seconds] -format {%d/%b/%Y:%H:%M:%S %z}] 
    set remote [IP::remote_addr]
    set client [IP::client_addr]:[TCP::client_port]
    set url [HTTP::host][HTTP::uri]
    set referer [HTTP::header "Referer"]
    set vip [IP::local_addr]:[TCP::local_port]
    set httpMethod [HTTP::method]
    set httpVersion [HTTP::version]
    set xforwardfor [HTTP::header X-Forwarded-For]
    set url [string map " x" $url]
    set referer [string map " x" $referer] 
    set hsl [HSL::open -proto UDP -pool POOL_SYSLOG]

     Limit the url variable to 300 characters
    if {[string length $url] > 300} {
      set url "[string range $url 0 300]..."   
    }

     Limit the referer variable to 300 characters
    if {[string length $referer] > 300} {
      set referer "[string range $referer 0 300]..."   
    }

     Build the Request log line
    set request_log_line " $timestamp  [virtual name]  $client  $remote  $vip  $url  $referer  $httpMethod  $httpVersion" 
    log local0.info "Request - $request_log_line"
    }

    when HTTP_RESPONSE {

     VARIABLES
     Initialize local variables used in this rule
    
    set http_response_time [ clock clicks -milliseconds ]
    set client [IP::client_addr]:[TCP::client_port]
    set node [IP::server_addr]:[TCP::server_port]
    set nodeResp [HTTP::status]
    set payloadLength [HTTP::payload length]
    set responseTime [expr $http_response_time - $http_request_time]

      Build the Response log line
     set response_log_line "$client  $node  $nodeResp  $payloadLength  $responseTime  $http_request_time  $xforwardfor" 
    log local0.info "Response - $response_log_line"

     Write Request and Response log lines to the LTM log
    HSL::send $hsl "IRULE_COMMON_LOG : $request_log_line  -  $response_log_line"
     }