Forum Discussion
NimbostratusUsing request Logging Profile with external syslog server: to log as HTTP Apache format
Hello,
I have an LTM v11.2.1 and a syslog server. I have a VS_TV that handles HTTP requests/responses flows and send it to choosen nodes.
I need to log theses HTTP request and response as apache log format using the request logging profile and send the results to my external syslog server(listening on port 514). I have already a pool "POOL_SYSLOG" which have as member my syslog server(NODE_SYSLOG:514).
Can i do this and how? what should i create? Can i use my existing POOL_SYSLOG as the request logging pool? i read in the doc: "http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-1-0/19.htmlconceptid" that we should create a pool with request logging to manage HTTP traffic and that the service port should be 80. but my syslog listen on port 514...
Help please!
9 Replies
Hi!
The port is not a problem. You need to use an iRule to send the syslog messages though.
Check this one out:
https://devcentral.f5.com/wiki/irules.FormattedLoggingForW3c.ashx
It's W3C formatted, but you can modify if needed.
/Patrik
Mazen2006_14317In fact, i want to know if i can configure a request logging profile that i customize to log localy in Apache combined format and apply this to an existing HTTP VS? I don't want to use an iRule...- Sorry mate, never used that one. Did not even know it existed.
I don't think using the 514 pool should be any problem though as the request logging profile looks like an interface to the hsl iRules (which accepts udp 514 syslog servers).
Hope someone else can you you a more definite answer, but the best way should be to try.
/Patrik
- Mazen2006_14317
Ok, nop, thank you for your contribution... Did anyone already used the request logging profile? My need: create a standard logging profile to log as apache HTTP combined format without using an iRule. I need to be able to apply this profile to any VS on which i need to activate the apache HTTP combined log. Is it possible? If yes, how should i do? Help please! Mazen - Mazen2006_14317
Thanks Kevin, I have already a request logging profile "CP_log_profile" that used my "POOL_SYSLOG". Could i add the "apache-log-format" also to the same syslog pool? Did it impact the existing log? Note that the LTM is configured to remote logging to the "POOL_SYSLOG". If an iRule use the HSL command or the log command to send log to this pool, i need to know if the request logging profile attached to the syslog pool is used or not? set hsl [HSL::open -proto TCP -pool /CLI01_COPR/POOL_SYSLOG] HSL::send $hsl - Kevin_Stewart
Employee
An logging iRule and a Request Logging profile are different things. An iRule attached the virtual server will log what's specified in the iRule. A Request Logging profile attached to the virtual server will log what's specified in the Request Logging profile.
Hurricane_1983_Cirrus
Hi, is it possible using the request logging profile to send http request according to ArcSight format? Thanks,
- Kevin_Stewart
You could do this with a request logging profile and save the trouble of an iRule. The following guide talks about an ArcSight log entry looking like this:
http://mita-tac.wikispaces.com/file/view/CEF+White+Paper+071709.pdf
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|ExtensionEx. Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232
Here’s details on the request logging profile.
Based on that document, a fairly common request logging filter might look something like this:
$DATE_NCSA - $CLIENT_IP - $SERVER_IP - $HTTP_REQUEST - $HTTP_STATUS - ${User-agent}
- Hurricane_1983_
many thanks Kevin.
