Forum Discussion

sulabh_sriv's avatar
sulabh_sriv
Icon for Altostratus rankAltostratus
Jan 10, 2024

Specific Virutal server log to Splunk - not working

Hi All, I want to send traffic log for a specifc virtual server to Splunk servers. I followed the below link ; https://community.f5.com/t5/technical-forum/virtual-server-log-forward-to-splunk/td-p/...
application delivery
sulabh_sriv's avatar
sulabh_sriv
Icon for Altostratus rankAltostratus
Jan 16, 2024

Yes, I did capture the traffic, In non-working scenario there is a reset from Virtual server to the client and BigIP is not sending traffic to the backend servers. See the pic attached.

10.37.21.185 is client IP and 172.27.129.82 is the virtual server.

Here is the iRule:

when CLIENT_ACCEPTED {
  set client_address [IP::client_addr]
  set vip [IP::local_addr]
  set splunk_pool SPLUNK-HSL-POOL
  set hsl [HSL::open -proto UDP -pool $splunk_pool]
}
when HTTP_REQUEST {
  set http_host [HTTP::host]:[TCP::local_port]
  set http_uri [HTTP::uri]
  set http_method [HTTP::method]
  set http_version [HTTP::version]
  set virtual_server [LB::server]
  set http_user_agent [HTTP::header "User-Agent"]
  set http_content_type [HTTP::header "Content-Type"]
  set tcp_start_time [clock clicks -milliseconds]
  set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
  if { [HTTP::header Content-Length] > 0 } then {
  set req_length [HTTP::header "Content-Length"]
  } 
  else {
  set req_length 0
  }
}
when HTTP_RESPONSE {
  set res_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]
  set node [IP::server_addr]
  set node_port [TCP::server_port]
  set http_status [HTTP::status]
  set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}]
  if { [HTTP::header Content-Length] > 0 } then {
  set res_length [HTTP::header "Content-Length"]
  } 
  else {
  set res_length 0
  }
  set hsl [HSL::open -proto UDP -pool $splunk_pool]
HSL::send $hsl "<514> HSL, CLIENT_IP=$client_address, VIP=$vip, VIP_NAME=\"$virtual_server\", 
    SERVER_NODE=$node, SERVER_NODE_PORT=$node_port, HTTP_URL=$http_url, HTTP_VERSION=$http_version, 
    HTTP_STATUS=$http_status, HTTP_METHOD=$http_method, HTTP_CONTENT_TYPE=$http_content_type, HTTP_USER_AGENT=\"$http_user_agent\", 
    HTTP_REFERRER=\"$http_referrer\",REQUEST_START_TIME=$req_start_time,REQUEST_ELAPSED_TIME=$req_elapsed_time, BYTES_IN=$req_length, 
    BYTES_OUT=$res_length\r\n"
}

 

JRahm's avatar
JRahm
Icon for Admin rankAdmin
Jan 16, 2024

what's the full message in the rst packet? Starts with iRule execution... Basically it is being reset because of the iRule, something isn't working there. What does your /var/log/ltm say? Likely a Tcl error message at same timestamp.

As far as the rule is concerned, did you define a pool named SPLUNK-HSL-POOL? 

  • sulabh_sriv's avatar
    sulabh_sriv
    Icon for Altostratus rankAltostratus
    Jan 17, 2024

    The reset logs show "iRule execution error".  In logs for iRule, it says  " <HTTP_RESPONSE> - can't read "http_url": no such variable while executing "HSL::send $hsl"

    Yes I defined a pool named SPLUNK-HSL-POOL being used in the iRule.  Is there any issue in the iRule you can see ??

    Thanks

    • smilam's avatar
      smilam
      Icon for Nimbostratus rankNimbostratus
      Feb 09, 2024

      It looks to me like your iRule is creating the variable http_uri , but your HSL::send is looking for http_urL.  You're setting with the letter i, but sending with the letter L.