cmedalis_299270
Aug 04, 2017Nimbostratus
Stream Logging Efficiency - iRule question
I have an iRule that utilizes stream matching and header capture to pull a Client IP, a posted Username, and a response from the web application (webapp is ADFS in this case).
I am not sure if this is the most efficient method to gather and log this data; the iRule works well in our dev environment, but I am concerned that it will be hog on prod.
FWIW - I know this could be done more efficiently with APM but I'm constrained to an iRule for this at the moment.
Any advice to improve the rule would be appreciated!
-- %< --
when HTTP_REQUEST {
Snag the Remote Client address
set int [IP::remote_addr]
Insert MS Proxy info for ADFS to know we are external
HTTP::header insert "X-MS-Proxy" "F5-LTM-PROD"
Insert MS Proxy info for ADFS Logging
HTTP::header insert X-MS-Forwarded-Client-IP [IP::client_addr]
if {[HTTP::method] eq "POST"}{
Trigger collection for up to 1MB of data
if {[HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
}
when HTTP_REQUEST_DATA {
foreach X [split [string tolower [HTTP::payload]] "&"] {
if { $X starts_with "username" } {
set USER $X
}
}
}
when HTTP_RESPONSE {
if { [HTTP::header value Content-Type] contains "text/html"}
{
STREAM::expression @Incorrect@
STREAM::enable
}
}
when STREAM_MATCHED {
log local0. "ADFS FAILED Login attempt for user $USER From Client $int"
log local0. "ADFS FAILED Login attempt for user $USER From Client $int"
log local0.info "ADFS FAILED Login attempt for user $USER From Client $int"
}