Forum Discussion

sulabh_sriv's avatar
sulabh_sriv
Icon for Altostratus rankAltostratus
Jan 10, 2024

Specific Virutal server log to Splunk - not working

Hi All, I want to send traffic log for a specifc virtual server to Splunk servers. I followed the below link ; https://community.f5.com/t5/technical-forum/virtual-server-log-forward-to-splunk/td-p/...
application delivery
sulabh_sriv's avatar
sulabh_sriv
Icon for Altostratus rankAltostratus
Jan 12, 2024

Hi Jason,

Did you get chance to see the above link, is there any change required you suggest ?

 

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jan 12, 2024

    yep, but did you get a chance to check your logs and take a packet capture? What's going on other than what you see in the browser experience? Can you paste your iRule in a response (make sure to use the </> icon to insert the code into a code block)

    • sulabh_sriv's avatar
      sulabh_sriv
      Icon for Altostratus rankAltostratus
      Jan 16, 2024

      Yes, I did capture the traffic, In non-working scenario there is a reset from Virtual server to the client and BigIP is not sending traffic to the backend servers. See the pic attached.

      10.37.21.185 is client IP and 172.27.129.82 is the virtual server.

      Here is the iRule:

      when CLIENT_ACCEPTED {
  set client_address [IP::client_addr]
  set vip [IP::local_addr]
  set splunk_pool SPLUNK-HSL-POOL
  set hsl [HSL::open -proto UDP -pool $splunk_pool]
}
when HTTP_REQUEST {
  set http_host [HTTP::host]:[TCP::local_port]
  set http_uri [HTTP::uri]
  set http_method [HTTP::method]
  set http_version [HTTP::version]
  set virtual_server [LB::server]
  set http_user_agent [HTTP::header "User-Agent"]
  set http_content_type [HTTP::header "Content-Type"]
  set tcp_start_time [clock clicks -milliseconds]
  set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
  if { [HTTP::header Content-Length] > 0 } then {
  set req_length [HTTP::header "Content-Length"]
  } 
  else {
  set req_length 0
  }
}
when HTTP_RESPONSE {
  set res_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
  set node [IP::server_addr]
  set node_port [TCP::server_port]
  set http_status [HTTP::status]
  set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]
  if { [HTTP::header Content-Length] > 0 } then {
  set res_length [HTTP::header "Content-Length"]
  } 
  else {
  set res_length 0
  }
  set hsl [HSL::open -proto UDP -pool $splunk_pool]
HSL::send $hsl "<514> HSL, CLIENT_IP=$client_address, VIP=$vip, VIP_NAME=\"$virtual_server\", 
    SERVER_NODE=$node, SERVER_NODE_PORT=$node_port, HTTP_URL=$http_url, HTTP_VERSION=$http_version, 
    HTTP_STATUS=$http_status, HTTP_METHOD=$http_method, HTTP_CONTENT_TYPE=$http_content_type, HTTP_USER_AGENT=\"$http_user_agent\", 
    HTTP_REFERRER=\"$http_referrer\",REQUEST_START_TIME=$req_start_time,REQUEST_ELAPSED_TIME=$req_elapsed_time, BYTES_IN=$req_length, 
    BYTES_OUT=$res_length\r\n"
}

       

      • JRahm's avatar
        JRahm
        Icon for Admin rankAdmin
        Jan 16, 2024

        what's the full message in the rst packet? Starts with iRule execution... Basically it is being reset because of the iRule, something isn't working there. What does your /var/log/ltm say? Likely a Tcl error message at same timestamp.

        As far as the rule is concerned, did you define a pool named SPLUNK-HSL-POOL?