Forum Discussion

Tracy_Butler_90's avatar
Tracy_Butler_90
Icon for Nimbostratus rankNimbostratus
Jul 06, 2006

writing an irule to log all traffic

Need assistance with writing an irule to log all traffic flow. Support suggested that this should be done versus making changes to the syslog-ng file. I've tried making changes to syslog-ng file with no luck. Please let me know if this is worth pursuing or should I go back to the syslog-ng file.

 

 

I'm looking to log source and destination IP addresses along with the corresponding ports.

 

 

Thanks
application delivery
dev
devops
iRules
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Nov 06, 2012
    Apologies. I copied your original post, rather than the amended one, as recommended by acidkewpie, and left in the "." - can you remove this and try again please?

     

     

    Rdgs

     

    N
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Nov 06, 2012
    And I've noticed more " to escape: 

    match(\"logger\");

    N
  • opers13_3280's avatar
    opers13_3280
    Icon for Nimbostratus rankNimbostratus
    Nov 06, 2012
    same issue:

     

     

    b syslog include "

     

    >

     

    > filter f_local0info {

     

    > facility(local0) and level(info) and match(\"logger\");

     

    > };

     

    >

     

    > destination d_logger {

     

    > udp(\"10.160.161.253\" port (1026));

     

    > };

     

    >

     

    > log {

     

    > source(local);

     

    > filter(f_local0info);

     

    > destination(d_logger);

     

    > };"

     

    BIGpipe parsing error:

     

    012e0008:3: The requested command (filter f_local0info {) is invalid

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Nov 06, 2012
    What LTM version are you running? My v10 works with this: 

    syslog include " 
filter f_local0_info { 
facility(local0) and level(info) and match(\"logger\"); 
}; 
 
destination d_logger { 
udp(\"10.160.161.253\" port (1026)); 
}; 
 
log { 
source(local); 
filter(f_local0_info); 
destination(d_logger); 
};"

    bpsh < syslog.inc

    bP syslog include

    SYSLOG - Include Data:

    filter f_local0_info { facility(local0) and level(info) and match("logger"); }; destination d_logger { udp("10.160.161.253" port (1026)); }; log { source(local); filter(f_local0_info); destination(d_logger); };

    Rgds

    N
  • sinamotamedi_15's avatar
    sinamotamedi_15
    Icon for Nimbostratus rankNimbostratus
    Oct 30, 2015

    I was getting a TCL error (TCL error: /Common/LogRule - can't read "client": no such variable while executing "log local0.info "Client $client -> VIP: $vip -> Node: $node"") when I created an iRule by copying/pasting the TCP logger rule in hoolio's first post and found I had to remove some quotation marks to properly set the variables. I'm running 11.6.0 Build 5.123.429. I also slightly modified it so it logs both when the connection is made and disconnected.

    Here's what I used:

    when CLIENT_ACCEPTED {  
   set vip [IP::local_addr]:[TCP::local_port]
}

when SERVER_CONNECTED {  
   set client [IP::client_addr]:[TCP::client_port]
   set node [IP::server_addr]:[TCP::server_port]
   log local0.info "Connected: Client $client -> VIP: $vip -> Node: $node"  
}  

when CLIENT_CLOSED {  
   log local0.info "Disconnected: Client $client -> VIP: $vip -> Node: $node" 
}

    This was a super helpful thread, thanks hoolio!

    • aries22's avatar
      aries22
      Icon for Altocumulus rankAltocumulus
      Feb 07, 2018

      Hi everyone,

      I applied sinamotamedi's revised script but still get TCL errors.

      I even made adjustments in hopes to reduce errors:

      when CLIENT_ACCEPTED {
   set vip [IP::local_addr]:[TCP::local_port]
   set client [IP::client_addr]:[TCP::client_port]
}
when SERVER_CONNECTED {
   set node [IP::server_addr]:[TCP::server_port]
   log local0.info "Connected: Client $client -> VIP: $vip -> Node: $node"
}
when CLIENT_CLOSED {
   log local0.info "Disconnected: Client $client -> VIP: $vip" 
}
when SERVER_CLOSED {
   log local0.info "A client has disconnected on Node: $node" 
}

      The Client_CLOSED event does not generate error anymore but I'm still getting error for the SERVER_CLOSED event sometimes:

      01220001:3: TCL error: /Common/TCP_Logger  - can't read "node": no such variable     while executing "log local0.info "A client has disconnected on Node: $node""

      I'm assuming this is caused by a connection with established client-side but unestablished server-side. Is my assumption correct? How do I correct the SERVER_CLOSED event logging script so that it won;t generate errors?

    • sinamotamedi_15's avatar
      sinamotamedi_15
      Icon for Nimbostratus rankNimbostratus
      Feb 07, 2018

      It seems like the error is saying the "node" variable doesn't exist so what you could do is add an IF/ELSE statement that checks whether the variable exists before writing to the log. Here's an example given the script you posted:

      when CLIENT_ACCEPTED {
   set vip [IP::local_addr]:[TCP::local_port]
   set client [IP::client_addr]:[TCP::client_port]
}
when SERVER_CONNECTED {
   set node [IP::server_addr]:[TCP::server_port]
   log local0.info "Connected: Client $client -> VIP: $vip -> Node: $node"
}
when CLIENT_CLOSED {
   log local0.info "Disconnected: Client $client -> VIP: $vip" 
}
when SERVER_CLOSED {
   if {[info exists node]} {
       log local0.info "A client has disconnected on Node: $node"
   } else {
       do nothing
   }
}
    • aries22's avatar
      aries22
      Icon for Altocumulus rankAltocumulus
      Aug 30, 2018

      thank you so much sinamotamedi for your help! i edited the rule you gave and tested below which did not generate errors:

       when CLIENT_ACCEPTED {
       set vip [IP::local_addr]:[TCP::local_port]
       set client [IP::client_addr]:[TCP::client_port]
    }
    when SERVER_CONNECTED {
       set node [IP::server_addr]:[TCP::server_port]
       log local0.info "Connected: Client $client -> VIP: $vip -> Node: $node"
    }
    when CLIENT_CLOSED {
       log local0.info "Disconnected: Client $client -> VIP: $vip" 
    }
    when SERVER_CLOSED {
       if {[info exists node] and [info exists client]} {
           log local0.info "Disconnected: Client $client -> VIP: $vip -> Node: $node"
       } else {
           do nothing
       }
    }
  • Pablo_soft's avatar
    Pablo_soft
    Icon for Nimbostratus rankNimbostratus
    Oct 07, 2019

    ​I need help me

     

    I followed the steps but I can't get the IRULE to work.

    when HTTP_REQUEST {

    set url "identities-esb.rg.repsol.com"

    set url [HTTP::header Host][HTTP::uri]

    set vip [IP::local_addr]:[TCP::local_port]

    }

    when HTTP_RESPONSE {

     set client [IP::client_addr]:[TCP::client_port]

      set node [IP::server_addr]:[TCP::server_port]

      set nodeResp [HTTP::status]

    }

    log local0.

    filter f_local0 {

    facility(local0) and level(info..emerg);

    }

    destination d_ltm {

    file("/var/log/ltm" create_dirs(yes));

    }

    log {

    source(local);

    filter(f_local0);

    destination(d_ltm);

    }

     

    This is the error that appears in F5

    01070151:3: Rule [/TI_TECNOLOGIA_WEB/identities_443] error: /TI_TECNOLOGIA_WEB/identities_443:13: error: [command is not valid in the current scope][log local0. ]

    /TI_TECNOLOGIA_WEB/identities_443:14: error: [undefined procedure: filter][filter f_local0 {

    facility(local0) and level(info..emerg);

    }]

    /TI_TECNOLOGIA_WEB/identities_443:18: error: [undefined procedure: destination][destination d_ltm {

    file("/var/log/ltm" create_dirs(yes));

    }]

    /TI_TECNOLOGIA_WEB/identities_443:22: error: [command is not valid in the current scope][log {

    source(local);

    filter(f_local0);

    destination(d_ltm);

    }]

    regards