For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tracy_Butler_90's avatar
Tracy_Butler_90
Icon for Nimbostratus rankNimbostratus
Jul 06, 2006

writing an irule to log all traffic

Need assistance with writing an irule to log all traffic flow. Support suggested that this should be done versus making changes to the syslog-ng file. I've tried making changes to syslog-ng file wit...
application delivery
dev
devops
iRules
nitass's avatar
nitass
Icon for Employee rankEmployee
Oct 18, 2011
[root@iris:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.17.33:http
   ip protocol tcp
   rules myrule
}
[root@iris:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
        log local0. "[IP::client_addr]:[TCP::client_port]"
}
}

[root@iris:Active] config  b syslog include
SYSLOG - Include Data:

filter f_local0 {
   facility(local0) and
   not match("myrule");
};
log {
   source(s_syslog_pipe);
   filter(f_local0);
   filter(f_no_audit);
   destination(d_ltm);
};

filter f_myrule {
   match("myrule");
};
destination d_myrule {
   file("/var/log/myrule" create_dirs(yes));
};
log {
   source(s_syslog_pipe);
   filter(f_myrule);
   destination(d_myrule);
};

[root@iris:Active] config  cat /var/log/ltm

[root@iris:Active] config  cat /var/log/myrule
Oct 18 22:19:40 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53447
Oct 18 22:19:42 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53449
Oct 18 22:19:45 local/tmm info tmm[4601]: Rule myrule : 192.168.206.102:53450
Oct 18 22:20:10 local/iris notice b[28110]: 012e0045:5: AUDIT - user root - rule myrule list

hope this helps.