Need assistance with writing an irule to log all traffic flow. Support suggested that this should be done versus making changes to the syslog-ng file. I've tried making changes to syslog-ng file with no luck. Please let me know if this is worth pursuing or should I go back to the syslog-ng file. I'm looking to log source and destination IP addresses along with the corresponding ports. Thanks

Hi, You can use iRules to log the requests and syslog-ng to parse them. Here are some example rules and syslog-ng changes: ======================================================= 1. HTTP logger rule: when HTTP_REQUEST { set the URL here, log it on the response set url [HTTP::header Host][HTTP::uri] set vip [IP::local_addr]:[TCP::local_port] } when HTTP_RESPONSE { set client [IP::client_addr]:[TCP::client_port] set node [IP::server_addr]:[TCP::server_port] set nodeResp [HTTP::status] log connection info log local0.info "Client: $client -> VIP:$vip$url -> Node: $node with response $nodeResp" } ======================================================= 2. TCP logger rule: when CLIENT_ACCEPTED { set vip [IP::local_addr]:[TCP::local_port] } when SERVER_CONNECTED { set client "[IP::client_addr]:[TCP::client_port]" set node "[IP::server_addr]:[TCP::server_port]" } when CLIENT_CLOSED { log connection info log local0.info "Client $client -> VIP: $vip -> Node: $node" } ======================================================= 3. UDP logger rule: when CLIENT_ACCEPTED { set vip [IP::local_addr]:[UDP::local_port] } when SERVER_CONNECTED { set client "[IP::client_addr]:[UDP::client_port]" set node "[IP::server_addr]:[UDP::server_port]" } when CLIENT_CLOSED { log connection info log local0.info "Client $client -> VIP: $vip -> Node: $node" } ======================================================= Associate the TCP, UDP and HTTP rules with the respective virtual servers that you want to log connections for. You can enable a rule for a virtual server under the Resources tab for each virtual server. You will need to make sure that the rule matches the type for each virtual server. For example, you can use the TCP or HTTP rules on an HTTP virtual server. However, you cannot associate a UDP rule unless there is a UDP profile associated with the virtual server. These rules will log to syslog-ng's local0 facility with the following format: Mar 1 08:34:01 tmm tmm[730]: Rule HTTP_logger : Client: 192.168.42.26:4746 VIP:172.25.2.12:80 to server: 172.25.2.233:80 for 172.25.2.12/ with response 200 You can then configure syslog-ng to parse local0.info entries that contain "logger" and send them to a remote syslog server by making the following changes to the /etc/syslog-ng/syslog-ng.conf file. ======================================================= 1. Add: local0.info filter, destination and log statements: local0.info send logger entries to remote syslog server filter f_local0.info { facility(local0) and level(info) and match("logger"); }; destination can be a hostname or IP address destination d_logger { tcp("syslog.myhost.com" port (5000)); }; log { source(local); filter(f_local0.info); destination(d_logger); }; 2. Add: and not match("logger") to local0.* to exclude the logger entries from being written to file local0.* /var/log/ltm filter f_local0 { facility(local0) and level(info..emerg) and not match("logger"); }; destination d_ltm { file("/var/log/ltm" create_dirs(yes)); }; log { source(local); filter(f_local0); destination(d_ltm); }; For more complete documentation on syslog-ng, you can refer to their site: http://www.balabit.com/products/support/syslog-ng/ Or here: http://www.iso.port.ac.uk/docs/downloaded/syslog-ng.html/book1.html Aaron

Thanks for the info. I'm now receiving the logging that I needed. I've also discovered that when I'm sending this to a remote syslog server, it's not using the management interface. How do you designate which interface to use when making the connection to a remote syslog server?

I don't think I can keep up, he's on fire!

Hah... I have a long way to go to catch up to you guys. This forum is a great resource though and I get a lot from the posts here.

Group - Thanks so much for this, it's about 95% of what I need Is there any way to 'timestamp' this sort of connection info? I've been requested to determine how much time is spent 'inside' the F5 for certain http(s) requests. Thanks !

writing an irule to log all traffic

50 Replies

nitass

Employee

Oct 19, 2011

HTTP::cookie is not valid in CLIENT_ACCEPTED.

HTTP::cookie wiki

http://devcentral.f5.com/wiki/iRules.HTTP__cookie.ashx

[root@iris:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.17.33:http
   ip protocol tcp
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@iris:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
   set flag 0
   if {[HTTP::cookie exists "testcookie"]} {
      set flag 1
      set http_request_time [clock clicks -milliseconds]
      set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
   }
}

when HTTP_RESPONSE {
   if {$flag} {
     log local0. "$LogString (response) - pool info: [LB::server] - status: [HTTP::status] (request/response delta: [expr [clock clicks -milliseconds] - $http_request_time]ms)"
   }
}
}

GET / is not shown in log since testcookie has not been presented at the first request (it is set by pool member in the first response). log is written in /var/log/ltm file. if you want to write to another file, you can customize syslog-ng config.

[root@iris:Active] config  tail -f /var/log/ltm
Oct 19 17:59:17 local/tmm info tmm[4601]: Rule myrule : Client 192.168.206.102:63807 -> 172.28.17.33/dog.gif (response) - pool info: foo 10.10.70.110 80 - status: 200 (request/response delta: 1ms)
Oct 19 17:59:17 local/tmm info tmm[4601]: Rule myrule : Client 192.168.206.102:63807 -> 172.28.17.33/favicon.ico (response) - pool info: foo 10.10.70.110 80 - status: 404 (request/response delta: 2ms)
Oct 19 17:59:17 local/tmm info tmm[4601]: Rule myrule : Client 192.168.206.102:63807 -> 172.28.17.33/favicon.ico (response) - pool info: foo 10.10.70.110 80 - status: 404 (request/response delta: 2ms)

Pav_70755

Nimbostratus

Oct 19, 2011

Thanks Nitass

I've added the following irule to the VS i want to log the traffic from

 
  when HTTP_REQUEST {
   set flag 0
   if {[HTTP::cookie exists "mxdata"]} {
      set flag 1
      set http_request_time [clock clicks -milliseconds]
      set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
   }
}

when HTTP_RESPONSE {
   if {$flag} {
     log local0. "$LogString (response) - pool info: [LB::server] - status: [HTTP::status] (request/response delta: [expr [clock clicks -milliseconds] - $http_request_time]ms)"
   }
}

It doesnt seem to be logging anything in the ltm file?

nitass
Employee
Oct 19, 2011
is mxdata cookie really existing? can you try to remove if condition first just for testing?
nitass
Employee
Oct 19, 2011
sorry for duplicated message.
Pav_70755
Nimbostratus
Oct 19, 2011
it does exist as searchprovider = mxdata although we know the ip address of the destination where the search is being called from so could just specify that instead of trying to use the cookie i guess?

could this just be done with a simple if {[HTTP::host] == "X.X.X.X"]} {?
nitass
Employee
Oct 19, 2011
could this just be done with a simple if {[HTTP::host] == "X.X.X.X"]} {?that's fine. by the way, using equals instead of == may be better.

additionally, you may capture packet to see how it is going.

tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap port 80

Pav_70755

Nimbostratus

Oct 19, 2011

I did try a tcpdump but there is too much data ultimatley we just want to find out how long the transfer time to and from this external host is

I modified the rule to this:

  when HTTP_REQUEST {
   set flag 0
   if { [HTTP::host] eq "78.42.24.X"  } {
      set flag 1
      set http_request_time [clock clicks -milliseconds]
      set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
   }
}

when HTTP_RESPONSE {
   if {$flag} {
     log local0. "$LogString (response) - pool info: [LB::server] - status: [HTTP::status] (request/response delta: [expr [clock clicks -milliseconds] - $http_request_time]ms)"
   }
}

and in the ltm file got the following:

Oct 19 14:02:33 sys-bip-01 mcpd[1726]: 01070151:3: Rule [Data_Cookie_Log] error: line 3: [wrong args] [HTTP::host equals "78.42.24.X"] line 12: [use curly braces to avoid double substitution] [[clock clicks -milliseconds]]

nitass

Employee

Oct 19, 2011

this is time. can you double check square bracket of HTTP::host? i think your irule is correct.

when HTTP_REQUEST {
   set flag 0
   if {[HTTP::host] eq "172.28.17.33"} {
      set flag 1
      set http_request_time [clock clicks -milliseconds]
      set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
   }
}

when HTTP_RESPONSE {
   if {$flag} {
      log local0. "$LogString (response) - pool info: [LB::server] - status: [HTTP::status] (request/response delta: [expr [clock clicks -milliseconds] - $http_request_time]ms)"
   }
}

Oct 19 21:15:07 local/tmm info tmm[4601]: Rule myrule : Client 192.168.206.102:65430 -> 172.28.17.33/ (response) - pool info: foo 10.10.70.110 80 - status: 200 (request/response delta: 3ms)
Oct 19 21:15:07 local/tmm info tmm[4601]: Rule myrule : Client 192.168.206.102:65430 -> 172.28.17.33/dog.gif (response) - pool info: foo 10.10.70.110 80 - status: 200 (request/response delta: 1ms)

Pav_70755

Nimbostratus

Oct 19, 2011

ok the ltm file hasnt been updated yet and i've changed it to this:

when HTTP_REQUEST {
   set flag 0
   if {[HTTP::host] eq "78.42.24.X" or [HTTP::cookie exists "mxdata"] } {
      set flag 1
      set http_request_time [clock clicks -milliseconds]
      set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"
   }
}

when HTTP_RESPONSE {
   if {$flag} {
      log local0. "$LogString (response) - pool info: [LB::server] - status: [HTTP::status] (request/response delta: [expr [clock clicks -milliseconds] - $http_request_time]ms)"
   }
}

Pav_70755
Nimbostratus
Oct 19, 2011
OK i've checked after about an hour and the ltm file doesnt seem to be getting any info logged from the irule?

this particular VS is making an external request to this host so i'm asuming it should be logged?

Forum Discussion

writing an irule to log all traffic

50 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Failing over Virtual F5 VE to DR location using Zerto

Failing over of a Virtual F5 configuration to another location using Zerto restore process

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

The GSLB pool is providing an incorrect IP to end users

Related Content

Hey DeepSeek, can you write iRules?

Hey Claude, can you write iRules?

Hey ChatGPT, can you write iRules?

iRule, Traffic Policy or Re-Write Policy

Getting Started with iRules: Directing Traffic

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS