Forum Discussion
southern_shredd
Cirrus
CirrusStream matched rewrite irule statistics
We have a rewrite irule that uses stream match to rewrite hostnames etc. For decomissioning purposes we woud like to generate a report showing which requests (urls) are using the irule and the results of rewrite. The report should have columns like
matched, replacewith, fromURI, count
when ACCESS_ACL_ALLOWED {
#STREAM::disable
#HTTP::header remove "Accept-Encoding"
#log local0. "[IP::client_addr] is accessing and we are removing Accept-Encoding"
}
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events enable
}
when HTTP_REQUEST {
STREAM::disable
HTTP::header remove "Accept-Encoding"
set http_uri "https://[HTTP::host][HTTP::uri]"
}
when HTTP_RESPONSE {
# Check if response type is text
if {([HTTP::header value Content-Type] contains "text") || ([HTTP::header value Content-Type] contains "json")}{
STREAM::expression {@https?:\/\/([^\/\"]*\.)*city\.council\.com@replace_me@}
# Enable the stream filter for this response only
STREAM::enable
}
}
when STREAM_MATCHED {
#log local0. "Debug1: STREAM_MATCHED"
set CHECK [class match -value [string tolower [STREAM::match]] starts_with URI_department.city.council.com_no_rewrite]
if { $CHECK == "1" } {
#log local0. "found exception for [STREAM::match]"
STREAM::replace [STREAM::match]
} else {
set RE {https:\/\/([^\/\"]*\.)*city\.council\.com}
set STRING "[string map {http:// https://} [STREAM::match]]"
set SUBST "https://\\1department.city.council.com
if {! ($STRING contains "intranett") } {
# we need to insert intranett
set STRING "[regsub -all $RE $STRING $SUBST ]"
}
#log local3. "[IP::client_addr]:[TCP::local_port]: matched: '[STREAM::match]', replaced with: '$STRING', from URI: $http_uri"
STREAM::replace $STRING
#if { ! ($STRING == [STREAM::match]) } {
# }
}
}
- Nikoolayy1
MVP
If you have a SIEM like Splunk or ELK maybe you can use Stats/iStats in the iRule and then with the API to access this info or just forward it to the SIEM with the logs and make the report. Have note done this myself.
https://support.f5.com/csp/article/K17283308
https://clouddocs.f5.com/api/irules/STATS.html
https://clouddocs.f5.com/api/irules/ISTATS.html
Also Telemetry Streaming can be used to stream Virtual server/pool statistics to Systlog/SIEM and you can create as I mentioned your own custom stats with STATS/iSTATS.
https://clouddocs.f5.com/products/extensions/f5-telemetry-streaming/latest/
southern_nordicAltocumulus
Understood, can you give an example of a log line that could be added that would return perhaps "hostname matches" or "hits by hostname"
- Paulius
southern_shredd you should be able to put the following in the the third line in the section of "when HTTP_REQUEST" but this really depends on when you would like the logging to occur.
log local0. "Client Connected, IP: [IP::client_addr] for Host: [HTTP::host]"
- Paulius
southern_shredd I don't believe a report exists on the BIG-IP that would do this for you. You will have add some logging lines to your iRule to log the specifics that you want and then use something else to count the entries in the logging destination or directly from the BIG-IPs. Please keep in mind that logs are rotated after a certain time or size so it is possible that you could miss some statistics if you BIG-IP creates a significant amount of log entries so it's best to send these logs to a logging device.
