For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

justin_westover's avatar
justin_westover
Icon for Nimbostratus rankNimbostratus
Aug 29, 2016

Setup High Speed Logging on Client Auth iRule

I have the below iRule and I would like to add high speed logging functionality instead of logging to the local0 LTM file. We have a splunk server where we stand all of our logs from the F5 when then come from an iRule setup with HSL. So basically, everywhere I have a log local0 command, I would rather send those logs to Splunk using HSL. Thoughts?

 

when CLIENTSSL_CLIENTCERT { if { [SSL::cert count] == 0 } { log local0. "No Certificate Provided" drop } else { log local0. "Client Certificate Recieved - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]" if { [class match [X509::serial_number [SSL::cert 0]] equals ValidCertificates] } { log local0. "Client Accepted - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]" } else { log local0. "Client Rejected -IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]" reject } } }

 

devops
iRules
LTM

1 Reply

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Aug 29, 2016

    Something like this? Make sure you setup the syslog pool (hsl_syslog_pool).

    when RULE_INIT {
     High speed logging setup - local7.info
    set static::bigip [info hostname]
    set static::facility <190>
    set static::hsl_prefix "$static::facility|host=$static::bigip"
}

when CLIENT_ACCEPTED {
     Open a connection for high speed logging to hsl_syslog_pool & define log prefix
    set hsl [HSL::open -proto UDP -pool hsl_syslog_pool]
    set hsl_prefix "${static::hsl_prefix}|client=[IP::client_addr]:[TCP::client_port]"
}

when CLIENTSSL_CLIENTCERT {
    if { [SSL::cert count] == 0 } {
        set log_message "No Certificate Provided"
        HSL::send $hsl "$hsl_prefix|$log_message"
        drop
    }
    else {
        set log_message "Client Certificate Recieved - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
        HSL::send $hsl "$hsl_prefix|$log_message"

        if { [class match [X509::serial_number [SSL::cert 0]] equals ValidCertificates] } {
            set log_message "Client Accepted - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]" 
            HSL::send $hsl "$hsl_prefix|$log_message"
        }
        else {
            set log_message "Client Rejected -IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
            HSL::send $hsl "$hsl_prefix|$log_message"
            reject
        }
    }
}