tcp connection logging at maximum demarcation points

Question

Hi,&nbsp;
&nbsp;following on from the general principles in this codeshare&nbsp;
&nbsp;http://devcentral.f5.com/wiki/default.aspx/iRules/LogHttpTcpUdpToSyslogng.html&nbsp;
&nbsp;how acan this be expanded further to include other details such as the volume of data transferred and how the connections are closed? As a network admin i'm always incorrectly blamed by our apps teams for having a dodgy network. i'd like to look at irules to create auditable logging for certain critical processes which could allow a good idea of what's actually happened to the connection and when it happened in order to even integrate the f5 logs with application logs via an application like splunk. i would want to log:&nbsp;
&nbsp; - when a connection starts
&nbsp; - when it's connected to a server 
&nbsp;    (both of which would be trivial) 
&nbsp; - how much data is transferred in both directons
&nbsp; - how the connection is closed when it is. (has the f5 timed it out? has the server timed out? has it closed nicely?&nbsp;
&nbsp;it's these later details i'm struggling to find any real information on. i know when a connection closed from CLIENT_CLOSED but what else can I report from within that event callback?&nbsp;
&nbsp;[btw for areas like this we're having to fettle with syslog-ng.conf... are there any worthwhile feature requests to more intelligently control routing of log events? it surely isn't hard to and a webUI page to say that, for example, local4.notice and higher should be 1) logged to the ltm log and 2) forwarded to syslog server at a.b.c.d??? seems a rel shame to still have to manually tinker...]&nbsp;
&nbsp;Thanks&nbsp;
&nbsp;Chris

deb_allen_18 · Answer

Hi Chris--&nbsp;
&nbsp;We really have no way in iRules to differentiate between the different types of close that might take place on a connection: RST, FIN, timeout all look the same inside of iRules.&nbsp;
&nbsp;Calculating how much data is transfered would definitely be possible, although you'd be introducing latency to each connection &amp; adding system overhead by collecting in both directions and doing the math.&nbsp;
&nbsp;I think GUI control of the syslog config would be a good add to the product.  I'd say definitely open a case and request a CR or Feature Request for that functionality or to be linked to any existing CR requesting it.  &nbsp;
&nbsp;HTH
&nbsp;/deb

chris_phillips · Answer

would it not be feasible to get a better view of the connection table itself? AFAIR, I can get information about the volume of traffic through a connection from the bigpipe conn commands and such, and blatantly the system knows about this information at some level? would this all have to end in a second largely futile feature request?

Forum Discussion

tcp connection logging at maximum demarcation points

Recent Discussions

Help needed with iRule (connection closed log )

AS3 Limitations

Use of SSL Decryption.

VLAN Failsafe Functionality

FTP PASV mode to Extended Passive mode

Related Content

Log tcp Connections.

Log client to vip connections

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

will the F5 log incoming connections into a log file?

Logging DNS Requests

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS