Need assistance with writing an irule to log all traffic flow. Support suggested that this should be done versus making changes to the syslog-ng file. I've tried making changes to syslog-ng file with no luck. Please let me know if this is worth pursuing or should I go back to the syslog-ng file. I'm looking to log source and destination IP addresses along with the corresponding ports. Thanks

Hi, You can use iRules to log the requests and syslog-ng to parse them. Here are some example rules and syslog-ng changes: ======================================================= 1. HTTP logger rule: when HTTP_REQUEST { set the URL here, log it on the response set url [HTTP::header Host][HTTP::uri] set vip [IP::local_addr]:[TCP::local_port] } when HTTP_RESPONSE { set client [IP::client_addr]:[TCP::client_port] set node [IP::server_addr]:[TCP::server_port] set nodeResp [HTTP::status] log connection info log local0.info "Client: $client -> VIP:$vip$url -> Node: $node with response $nodeResp" } ======================================================= 2. TCP logger rule: when CLIENT_ACCEPTED { set vip [IP::local_addr]:[TCP::local_port] } when SERVER_CONNECTED { set client "[IP::client_addr]:[TCP::client_port]" set node "[IP::server_addr]:[TCP::server_port]" } when CLIENT_CLOSED { log connection info log local0.info "Client $client -> VIP: $vip -> Node: $node" } ======================================================= 3. UDP logger rule: when CLIENT_ACCEPTED { set vip [IP::local_addr]:[UDP::local_port] } when SERVER_CONNECTED { set client "[IP::client_addr]:[UDP::client_port]" set node "[IP::server_addr]:[UDP::server_port]" } when CLIENT_CLOSED { log connection info log local0.info "Client $client -> VIP: $vip -> Node: $node" } ======================================================= Associate the TCP, UDP and HTTP rules with the respective virtual servers that you want to log connections for. You can enable a rule for a virtual server under the Resources tab for each virtual server. You will need to make sure that the rule matches the type for each virtual server. For example, you can use the TCP or HTTP rules on an HTTP virtual server. However, you cannot associate a UDP rule unless there is a UDP profile associated with the virtual server. These rules will log to syslog-ng's local0 facility with the following format: Mar 1 08:34:01 tmm tmm[730]: Rule HTTP_logger : Client: 192.168.42.26:4746 VIP:172.25.2.12:80 to server: 172.25.2.233:80 for 172.25.2.12/ with response 200 You can then configure syslog-ng to parse local0.info entries that contain "logger" and send them to a remote syslog server by making the following changes to the /etc/syslog-ng/syslog-ng.conf file. ======================================================= 1. Add: local0.info filter, destination and log statements: local0.info send logger entries to remote syslog server filter f_local0.info { facility(local0) and level(info) and match("logger"); }; destination can be a hostname or IP address destination d_logger { tcp("syslog.myhost.com" port (5000)); }; log { source(local); filter(f_local0.info); destination(d_logger); }; 2. Add: and not match("logger") to local0.* to exclude the logger entries from being written to file local0.* /var/log/ltm filter f_local0 { facility(local0) and level(info..emerg) and not match("logger"); }; destination d_ltm { file("/var/log/ltm" create_dirs(yes)); }; log { source(local); filter(f_local0); destination(d_ltm); }; For more complete documentation on syslog-ng, you can refer to their site: http://www.balabit.com/products/support/syslog-ng/ Or here: http://www.iso.port.ac.uk/docs/downloaded/syslog-ng.html/book1.html Aaron

Thanks for the info. I'm now receiving the logging that I needed. I've also discovered that when I'm sending this to a remote syslog server, it's not using the management interface. How do you designate which interface to use when making the connection to a remote syslog server?

I don't think I can keep up, he's on fire!

Hah... I have a long way to go to catch up to you guys. This forum is a great resource though and I get a lot from the posts here.

Group - Thanks so much for this, it's about 95% of what I need Is there any way to 'timestamp' this sort of connection info? I've been requested to determine how much time is spent 'inside' the F5 for certain http(s) requests. Thanks !

writing an irule to log all traffic

50 Replies

Pav_70755
Nimbostratus
Oct 19, 2011
also does it make any difference if the virtual server is using the one connect profile or not?
Michael_Yates
Nimbostratus
Oct 19, 2011
Hi Pav,

If you are not getting anything logged it is because you are not getting any matching events.

This is probably why. The ".X" is not a valid Wildcard.

if {[HTTP::host] eq "78.42.24.X" or [HTTP::cookie exists "mxdata"] } {

You will either need to replace it with a valid wildcard for this situation or change the matching qualifier to a subnet value instead (78.42.24.0/24).

The OneConnect Profile should not matter. It only directs a deeper investigation of all incoming connections to see if they qualify for connection re-use or to better identify individual clients that may be NAT'ed behind a single IP Address.

Hope this helps.
Pav_70755
Nimbostratus
Oct 20, 2011
I've changed it to a host name now

if {[HTTP::host] eq "test.search.co.uk" or [HTTP::cookie exists "searchdata"] } {

this irule is attached to a VS and i've been accessing the individual pool members and using the search function which calls to this external request which i'm trying to log the response times too i've even try usingt he following to log any traffic and im not getting anything either:

when CLIENT_ACCEPTED {

Get time for start of TCP connection in milleseconds

set tcp_start_time [clock clicks -milliseconds]

Log the start of a new TCP connection

log "New TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port]"

}

when HTTP_REQUEST {

Get time for start of HTTP request

set http_request_time [clock clicks -milliseconds]

Log the start of a new HTTP request

set LogString "Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]"

log local0. "$LogString (request)"

}

when HTTP_RESPONSE {

Received the response headers from the server. Log the pool name, IP and port, status and time delta

log local0. "$LogString (response) - pool info: [LB::server] - status: [HTTP::status] (request/response delta: [expr [clock clicks -milliseconds] - $http_request_time]ms)"

}

when CLIENT_CLOSED {

Log the end time of the TCP connection

log "Closed TCP connection from [IP::client_addr]:[TCP::client_port] to [IP::local_addr]:[TCP::local_port] (open for: [expr [clock clicks -milliseconds] - $tcp_start_time]ms)"

}
Pav_70755
Nimbostratus
Oct 20, 2011
This is strange that that Aarons rule to log tcp and http requests isnt working either as surely this shoudl log all requests made by this particular VS?
Ganesh_Garg_314
Nimbostratus
May 23, 2012
Hi All,

I have a ques regarding the IRULE for HTTP. We are running 9.4.7 version in our network and I have configure the syslog-ng file to log the logs for that particular Virtual Server into different file. But that file is not rotating on daily basis as LTM file. Can someone please help.

Regards,

Ganesh
opers13_3280
Nimbostratus
Nov 06, 2012
I'm getting a parsing error when configuring syslog-ng:

b syslog include "

>

> local0.info send logger entries to remote syslog server

> filter f_local0.info {

> facility(local0) and level(info) and match("logger");

> };

>

> destination can be a hostname or IP address

> destination d_logger {

> udp("10.160.161.253" port (1026));

> };

>

> log {

> source(local);

> filter(f_local0.info);

> destination(d_logger);

> };"

BIGpipe parsing error:

012e0008:3: The requested command (filter f_local0.info {) is invalid
Chris_Phillips
Nimbostratus
Nov 06, 2012
remove the "." from the filter name
opers13_3280
Nimbostratus
Nov 06, 2012
Did that and still having issues. Thanks for your help

b syslog include "

>

> local0info send logger entries to remote syslog server

> filter f_local0info {

> facility(local0) and level(info) and match("logger");

> };

>

> destination can be a hostname or IP address

> destination d_logger {

> udp("10.160.161.253" port (1026));

> };

>

> log {

> source(local);

> filter(f_local0info);

> destination(d_logger);

> };"

BIGpipe parsing error:

012e0008:3: The requested command (filter f_local0info {) is invalid

nathe

Cirrocumulus

Nov 06, 2012

opers13

Try this:

include " 
filter f_local0.info { 
facility(local0) and level(info) and match("logger"); 
}; 
 
destination d_logger { 
udp(\"10.160.161.253\" port (1026)); 
}; 
 
log { 
source(local); 
filter(f_local0.info); 
destination(d_logger); 
};"

Note the escaping backslashes. See this article: https://devcentral.f5.com/tutorials/tech-tips/ltm-942-custom-syslog-configuration

Hope this helps,

opers13_3280
Nimbostratus
Nov 06, 2012
Still getting parsing error:

b syslog include "

>

> filter f_local0.info {

> facility(local0) and level(info) and match("logger");

> };

>

> destination d_logger {

> udp(\"10.160.161.253\" port (1026));

> };

>

> log {

> source(local);

> filter(f_local0.info);

> destination(d_logger);

> };"

BIGpipe parsing error:

012e0008:3: The requested command (filter f_local0.info {) is invalid

Forum Discussion

writing an irule to log all traffic

50 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Failing over Virtual F5 VE to DR location using Zerto

Failing over of a Virtual F5 configuration to another location using Zerto restore process

F5 Networks F5CAB1 Exam - Need Help Regarding Prep

Username is not filled in EdgeClient in the Modern customization

The GSLB pool is providing an incorrect IP to end users

Related Content

Hey DeepSeek, can you write iRules?

Hey Claude, can you write iRules?

Hey ChatGPT, can you write iRules?

iRule, Traffic Policy or Re-Write Policy

Getting Started with iRules: Directing Traffic

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS