For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bwilliam's avatar
bwilliam
Icon for Cirrus rankCirrus
May 06, 2021
Solved

VIP Client Logging "Not RFC1918"

Hi, I have gone through the dev/central site and found an irule capturing VIP client connections . The problem I have is that I don't need to log internal IP space or RFC1918 networks. I want to log all other public IP client connections.

This is the irule I am using. This is my first time working with any programming language and I cant see how the logic will flow.

when HTTP_REQUEST {
 log local0. "clientIP:[IP::client_addr] accessed
 [HTTP::host][HTTP::uri]"
]

devops
iRules
LTM
  • bwilliam's avatar
    bwilliam
    May 11, 2021

    Thank you Alex for the response. I ended up going with this irule. Initially after applying the irule I was still logging the private networks. What I found is that I had to surround the private_net with quotes. After doing this I only saw public networks.

     

    Now I need to send it to a remote syslog instead of logging local0. I just have to research how those lines of code will look like.

     

    when HTTP_REQUEST {
  if { not ([class match [IP::client_addr] equals "private_net"])} {
 
  log local0. "clientIP:[IP::client_addr] accessed
  [HTTP::host][HTTP::uri]"}
}

     

3 Replies

  • AlexBCT's avatar
    AlexBCT
    Icon for Cumulonimbus rankCumulonimbus
    May 06, 2021

    First of all, congrats on your first dip in the iRules pool! :)

     

    A couple of suggestions;

    • The bracket on line 4 should be a curly bracket } instead of a square bracket, this is the closing bracket for the one on line 1.
    • The log statement should work the way you have it at the moment, and will log the client address, as well as the full URL.
    • If you want to add the logic to only look for non-private IP's, you can add an "if" statement, similar to this one (the "private_net" is a data group that's already configured on the system with the private IP ranges in it);

     

    when HTTP_REQUEST {

    if { !([class match [IP::client_addr] equals private_net])} {

    log local0. "clientIP:[IP::client_addr] accessed [HTTP::host][HTTP::uri]"

    }

    }

     

    Hope this helps.

  • bwilliam's avatar
    bwilliam
    Icon for Cirrus rankCirrus
    May 11, 2021

    Thank you Alex for the response. I ended up going with this irule. Initially after applying the irule I was still logging the private networks. What I found is that I had to surround the private_net with quotes. After doing this I only saw public networks.

     

    Now I need to send it to a remote syslog instead of logging local0. I just have to research how those lines of code will look like.

     

    when HTTP_REQUEST {
  if { not ([class match [IP::client_addr] equals "private_net"])} {
 
  log local0. "clientIP:[IP::client_addr] accessed
  [HTTP::host][HTTP::uri]"}
}

     

    • AlexBCT's avatar
      AlexBCT
      Icon for Cumulonimbus rankCumulonimbus
      May 11, 2021

      Ahyes, sorry I missed that.

      Regarding sending to remote log, have a look at HSL logging; https://clouddocs.f5.com/api/irules/HSL__open.html

      This is the most efficient way to send logs to remote servers.