Forum Discussion

Akshay_SK's avatar
Akshay_SK
Icon for Nimbostratus rankNimbostratus
Jan 27, 2020

Sending HSL data in json format.

Just wanted to know if data can be sent via HSL in json format as below : HSL::send $hsl "{ "Attacker_IP":$remoteip, "Destination_IP":[IP::local_addr], "User-Agent":$useragent, "ISP":$isp, "Coun...
  • Dario_Garrido's avatar
    Dario_Garrido
    Jan 29, 2020

    One example of how to configure this.

    1.- Configure iRule.

    when SERVER_CONNECTED {
        catch {
            set hsl [HSL::open -publisher /Common/HSL_PUB]
        }
        set timestamp  [clock clicks -milliseconds]
        set cs_client_ip [clientside {IP::remote_addr}]
        set cs_client_port [clientside {TCP::remote_port}]
        set cs_server_ip [clientside {IP::local_addr}]
        set cs_server_port [clientside {TCP::local_port}]
        set ss_client_ip [serverside {IP::local_addr}]
        set ss_client_port [serverside {TCP::local_port}]    
        set ss_server_ip [serverside {IP::remote_addr}]
        set ss_server_port [serverside {TCP::remote_port}]
     
        catch {
            HSL::send $hsl "{\"version\":\"1.1\",\"level\":\"6\",\"_stream_filter\":\"test\",\"_TIMESTAMP\":\"[clock clicks -milliseconds]\",\"_CLIENT\":\"[clientside {IP::remote_addr}]:[clientside {TCP::remote_port}]\",\"_VIP\":\"[clientside {IP::local_addr}]:[clientside {TCP::local_port}]\",\"_SNAT\":\"[serverside {IP::local_addr}]:[serverside {TCP::local_port}] \",\"_SERVER\":\"[serverside {IP::remote_addr}]:[serverside {TCP::remote_port}]\"}"
        }
    }

    2.- Configure HSL_PUB

    sys log-config destination remote-high-speed-log HSL_SRV {
        pool-name P-WEB1_80
        protocol udp
    }
    sys log-config publisher HSL_PUB {
        destinations {
            HSL_SRV { }
        }
    }

    3.- Apply iRule to the VS and generate traffic.

    ---

    After capturing traffic output, that's the result.

    13:13:09.553783 00:50:56:8f:8f:ec > 00:50:56:8f:ae:99, ethertype 802.1Q (0x8100), length 260: vlan 4094, p 0, ethertype IPv4, 10.130.40.41.47233 > 172.16.100.1.80: UDP, length 207 out slot1/tmm1 lis=
    E....?@.....
    .()..d....P..C.{"version":"1.1","level":"6","_stream_filter":"test","_TIMESTAMP":"1580299989553","_CLIENT":"10.130.41.41:54197","_VIP":"10.130.41.50:80","_SNAT":"10.130.40.41:54197 ","_SERVER":"172.16.100.2:80"}.......

    Let me know if this helps.

    KR,

    Dario.